Skip to content

Bump the npm_and_yarn group across 4 directories with 19 updates#33947

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/docs/npm_and_yarn-613a5413e2
Closed

Bump the npm_and_yarn group across 4 directories with 19 updates#33947
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/docs/npm_and_yarn-613a5413e2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 4 updates in the /docs directory: node-forge, postcss, webpack-dev-server and yaml.
Bumps the npm_and_yarn group with 9 updates in the /examples/docs_projects/project_etl_tutorial/dashboard directory:

Package From To
follow-redirects 1.15.11 1.16.0
ip-address 9.0.5 10.2.0
lodash 4.17.23 4.18.1
node-forge 1.3.3 1.4.0
postcss 8.5.2 8.5.15
axios 1.13.5 1.18.0
basic-ftp 5.3.0 5.3.1
devalue 5.6.4 5.8.1
fast-xml-builder 1.0.0 1.2.0

Bumps the npm_and_yarn group with 9 updates in the /js_modules directory:

Package From To
@babel/plugin-transform-modules-systemjs 7.29.0 7.29.7
brace-expansion 1.1.12 1.1.15
fast-uri 3.1.0 3.1.2
ip-address 10.1.0 10.2.0
postcss 8.5.6 8.5.10
uuid 9.0.1 14.0.0
vite 7.3.1 7.3.5
@tootallnate/once 2.0.0 2.0.1
next 15.5.15 15.5.18

Bumps the npm_and_yarn group with 1 update in the /js_modules/app-oss directory: uuid.

Updates node-forge from 1.3.3 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

  • HIGH: Denial of Service in BigInteger.modInverse()
    • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
    • Reported by Kr0emer.
    • CVE ID: CVE-2026-33891
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
    • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
    • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33894
    • GHSA ID: GHSA-ppp5-5v6c-4jwp
  • HIGH: Signature forgery in Ed25519 due to missing S < L check.
    • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33895
    • GHSA ID: GHSA-q67f-28xg-22rw
  • HIGH: basicConstraints bypass in certificate chain verification.
    • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
    • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
    • CVE ID: CVE-2026-33896
    • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

Updates postcss from 8.5.3 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Changelog

Sourced from postcss's changelog.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Commits
  • eae46db Release 8.5.15 version
  • 79508ff Update CI actions
  • b128e21 Speed up declaration parsing by avoiding creating new array on each token
  • 9825dca Fix code format
  • 55789c8 Update dependencies
  • 84fbbe9 Install older pnpm action for old Node.js
  • 9f860bd Revert pnpm action for old Node.js
  • 0877198 Update CI actions
  • b2d1a33 Fix linter warnings
  • 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
  • Additional commits viewable in compare view

Updates webpack-dev-server from 5.2.2 to 5.2.5

Release notes

Sourced from webpack-dev-server's releases.

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5
Changelog

Sourced from webpack-dev-server's changelog.

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5
Commits
  • c3ee325 chore(release): new release (#5682)
  • 60173be feat: add changeset validation and release workflow (#5680)
  • 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
  • 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
  • fd40130 chore(release): 5.2.4
  • ece4f36 chore: update deps (#5661)
  • a216144 ci: fix test (#5658)
  • df073c5 Merge commit from fork
  • b550a70 chore(release): 5.2.3
  • 9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.


Updates yaml from 2.7.0 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

  • Disable alias resolution with maxAliasCount:0 (#677)
  • Handle invalid unicode escapes (e1a1a77)
  • Apply minFractionDigits only to decimal strings (#676)

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)

v2.8.2

  • Serialize -0 as -0 (#638)
  • Do not double newlines for empty map values (#642)

v2.8.1

  • Preserve empty block literals (#634)

v2.8.0

  • Add node cache for faster alias resolution (#612)
  • Re-introduce compatibility with Node.js 14.6 (#614)
  • Add --merge option to CLI tool (#611)
  • Improve error for tag resolution error on null value (#616)
  • Allow empty string as plain scalar representation, for failsafe schema (#616)
  • docs: include cli example (#617)

v2.7.1

  • Do not allow seq with single-line collection value on same line with map key (#603)
  • Improve warning & avoid TypeError on bad YAML 1.1 nodes (#610)
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • ccdf743 2.8.4
  • f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
  • e1a1a77 fix: Handle invalid unicode escapes
  • a163ea0 style: Satify Prettier
  • b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
  • 93c951b chore: Bump JSR version to v2.8.3 (#673)
  • Additional commits viewable in compare view

Updates yaml from 2.7.0 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

  • Disable alias resolution with maxAliasCount:0 (#677)
  • Handle invalid unicode escapes (e1a1a77)
  • Apply minFractionDigits only to decimal strings (#676)

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)

v2.8.2

  • Serialize -0 as -0 (#638)
  • Do not double newlines for empty map values (#642)

v2.8.1

  • Preserve empty block literals (#634)

v2.8.0

  • Add node cache for faster alias resolution (#612)
  • Re-introduce compatibility with Node.js 14.6 (#614)
  • Add --merge option to CLI tool (#611)
  • Improve error for tag resolution error on null value (#616)
  • Allow empty string as plain scalar representation, for failsafe schema (#616)
  • docs: include cli example (#617)

v2.7.1

  • Do not allow seq with single-line collection value on same line with map key (#603)
  • Improve warning & avoid TypeError on bad YAML 1.1 nodes (#610)
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • ccdf743 2.8.4
  • f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
  • e1a1a77 fix: Handle invalid unicode escapes
  • a163ea0 style: Satify Prettier
  • b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
  • 93c951b chore: Bump JSR version to v2.8.3 (#673)
  • Additional commits viewable in compare view

Updates path-to-regexp from 0.1.12 to 0.1.13

Release notes

Sourced from path-to-regexp's releases.

0.1.13

Important

Full Changelog: pillarjs/path-to-regexp@v0.1.12...v.0.1.13

Changelog

Sourced from path-to-regexp's changelog.

0.1.13 / 2026-03-26

0.1.7 / 2015-07-28

  • Fixed regression with escaped round brackets and matching groups.

0.1.6 / 2015-06-19

  • Replace index feature by outputting all parameters, unnamed and named.

0.1.5 / 2015-05-08

  • Add an index property for position in match result.

0.1.4 / 2015-03-05

  • Add license information

0.1.3 / 2014-07-06

  • Better array support
  • Improved support for trailing slash in non-ending mode

0.1.0 / 2014-03-06

  • add options.end

0.0.2 / 2013-02-10

  • Update to match current express
  • add .license property to component.json
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.


Updates postcss from 8.5.3 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Changelog

Sourced from postcss's changelog.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Commits
  • eae46db Release 8.5.15 version
  • 79508ff Update CI actions
  • b128e21 Speed up declaration parsing by avoiding creating new array on each token
  • 9825dca Fix code format
  • 55789c8 Update dependencies
  • 84fbbe9 Install older pnpm action for old Node.js
  • 9f860bd Revert pnpm action for old Node.js
  • 0877198 Update CI actions
  • b2d1a33 Fix linter warnings
  • 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
  • Additional commits viewable in compare view

Updates postcss from 8.5.3 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Changelog

Sourced from postcss's changelog.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Commits
  • eae46db Release 8.5.15 version
  • 79508ff Update CI actions
  • b128e21 Speed up declaration parsing by avoiding creating new array on each token
  • 9825dca Fix code format
  • 55789c8 Update dependencies
  • 84fbbe9 Install older pnpm action for old Node.js
  • 9f860bd Revert pnpm action for old Node.js
  • 0877198 Update CI actions
  • b2d1a33 Fix linter warnings
  • 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
  • Additional commits viewable in compare view

Updates yaml from 2.7.0 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

  • Disable alias resolution with maxAliasCount:0 (#677)
  • Handle invalid unicode escapes (e1a1a77)
  • Apply minFractionDigits only to decimal strings (#676)

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)

v2.8.2

  • Serialize -0 as -0 (#638)
  • Do not double newlines for empty map values (#642)

v2.8.1

  • Preserve empty block literals (#634)

v2.8.0

  • Add node cache for faster alias resolution (#612)
  • Re-introduce compatibility with Node.js 14.6 (#614)
  • Add --merge option to CLI tool (#611)
  • Improve error for tag resolution error on null value (#616)
  • Allow empty string as plain scalar representation, for failsafe schema (#616)
  • docs: include cli example (#617)

v2.7.1

  • Do not allow seq with single-line collection value on same line with map key (#603)
  • Improve warning & avoid TypeError on bad YAML 1.1 nodes (#610)
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • ccdf743 2.8.4
  • f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
  • e1a1a77 fix: Handle invalid unicode escapes
  • a163ea0 style: Satify Prettier
  • b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
  • 93c951b chore: Bump JSR version to v2.8.3 (#673)
  • Additional commits viewable in compare view

Updates path-to-regexp from 0.1.12 to 0.1.13

Release notes

Sourced from path-to-regexp's releases.

0.1.13

Important

Full Changelog: pillarjs/path-to-regexp@v0.1.12...v.0.1.13

Changelog

Sourced from path-to-regexp's changelog.

0.1.13 / 2026-03-26

0.1.7 / 2015-07-28

  • Fixed regression with escaped round brackets and matching groups.

0.1.6 / 2015-06-19

  • Replace index feature by outputting all parameters, unnamed and named.

0.1.5 / 2015-05-08

  • Add an index property for position in match result.

0.1.4 / 2015-03-05

  • Add license information

0.1.3 / 2014-07-06

  • Better array support
  • Improved support for trailing slash in non-ending mode

0.1.0 / 2014-03-06

  • add options.end

0.0.2 / 2013-02-10

  • Update to match current express
  • add .license property to component.json
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.


Updates postcss from 8.5.3 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Changelog

Sourced from postcss's changelog.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Commits
  • eae46db Release 8.5.15 version
  • 79508ff Update CI actions
  • b128e21 Speed up declaration parsing by avoiding creating new array on each token
  • 9825dca Fix code format
  • 55789c8 Update dependencies
  • 84fbbe9 Install older pnpm action for old Node.js
  • 9f860bd Revert pnpm action for old Node.js
  • 0877198 Update CI actions
  • b2d1a33 Fix linter warnings
  • 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
  • Additional commits viewable in compare view

Updates follow-redirects from 1.15.11 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • See full diff in compare view

Updates ip-address from 9.0.5 to 10.2.0

Commits
  • 80fccaa 10.2.0
  • abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
  • 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
  • 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
  • 80bc76e Validate static factories instead of silently overflowing (#201)
  • 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
  • a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
  • ec52105 Add networkForm() for CIDR network-address strings (#199)
  • a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
  • f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
  • Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

Bumps the npm_and_yarn group with 4 updates in the /docs directory: [node-forge](https://github.com/digitalbazaar/forge), [postcss](https://github.com/postcss/postcss), [webpack-dev-server](https://github.com/webpack/webpack-dev-server) and [yaml](https://github.com/eemeli/yaml).
Bumps the npm_and_yarn group with 9 updates in the /examples/docs_projects/project_etl_tutorial/dashboard directory:

| Package | From | To |
| --- | --- | --- |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `9.0.5` | `10.2.0` |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [node-forge](https://github.com/digitalbazaar/forge) | `1.3.3` | `1.4.0` |
| [postcss](https://github.com/postcss/postcss) | `8.5.2` | `8.5.15` |
| [axios](https://github.com/axios/axios) | `1.13.5` | `1.18.0` |
| [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.3.0` | `5.3.1` |
| [devalue](https://github.com/sveltejs/devalue) | `5.6.4` | `5.8.1` |
| [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.0.0` | `1.2.0` |

Bumps the npm_and_yarn group with 9 updates in the /js_modules directory:

| Package | From | To |
| --- | --- | --- |
| [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.29.0` | `7.29.7` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.15` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.10` |
| [uuid](https://github.com/uuidjs/uuid) | `9.0.1` | `14.0.0` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.5` |
| [@tootallnate/once](https://github.com/TooTallNate/once) | `2.0.0` | `2.0.1` |
| [next](https://github.com/vercel/next.js) | `15.5.15` | `15.5.18` |

Bumps the npm_and_yarn group with 1 update in the /js_modules/app-oss directory: [uuid](https://github.com/uuidjs/uuid).


Updates `node-forge` from 1.3.3 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.3...v1.4.0)

Updates `postcss` from 8.5.3 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `webpack-dev-server` from 5.2.2 to 5.2.5
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.2...v5.2.5)

Updates `yaml` from 2.7.0 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.7.0...v2.9.0)

Updates `yaml` from 2.7.0 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.7.0...v2.9.0)

Updates `path-to-regexp` from 0.1.12 to 0.1.13
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md)
- [Commits](pillarjs/path-to-regexp@v0.1.12...v.0.1.13)

Updates `postcss` from 8.5.3 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `postcss` from 8.5.3 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `yaml` from 2.7.0 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.7.0...v2.9.0)

Updates `path-to-regexp` from 0.1.12 to 0.1.13
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md)
- [Commits](pillarjs/path-to-regexp@v0.1.12...v.0.1.13)

Updates `postcss` from 8.5.3 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](beaugunderson/ip-address@v9.0.5...v10.2.0)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `node-forge` from 1.3.3 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.3...v1.4.0)

Updates `postcss` from 8.5.2 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `axios` from 1.13.5 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.18.0)

Updates `basic-ftp` from 5.3.0 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.3.0...v5.3.1)

Updates `devalue` from 5.6.4 to 5.8.1
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.4...v5.8.1)

Updates `fast-xml-builder` from 1.0.0 to 1.2.0
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/commits/v1.2.0)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](beaugunderson/ip-address@v9.0.5...v10.2.0)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `node-forge` from 1.3.3 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.3...v1.4.0)

Updates `postcss` from 8.5.2 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `postcss` from 8.5.2 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](beaugunderson/ip-address@v9.0.5...v10.2.0)

Updates `postcss` from 8.5.2 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `@babel/plugin-transform-modules-systemjs` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs)

Updates `brace-expansion` from 1.1.12 to 1.1.15
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.15)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v9.0.5...v10.2.0)

Updates `postcss` from 8.5.6 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `uuid` from 9.0.1 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v9.0.1...v14.0.0)

Updates `vite` from 7.3.1 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

Updates `uuid` from 9.0.1 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v9.0.1...v14.0.0)

Updates `brace-expansion` from 1.1.12 to 1.1.15
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.15)

Updates `@tootallnate/once` from 2.0.0 to 2.0.1
- [Release notes](https://github.com/TooTallNate/once/releases)
- [Changelog](https://github.com/TooTallNate/once/blob/v2.0.1/CHANGELOG.md)
- [Commits](TooTallNate/once@2.0.0...v2.0.1)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v9.0.5...v10.2.0)

Updates `postcss` from 8.5.6 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `vite` from 7.3.1 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

Updates `next` from 15.5.15 to 15.5.18
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.15...v15.5.18)

Updates `uuid` from 9.0.1 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v9.0.1...v14.0.0)

Updates `postcss` from 8.5.6 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `vite` from 7.3.1 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

Updates `@babel/plugin-transform-modules-systemjs` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs)

Updates `@tootallnate/once` from 2.0.0 to 2.0.1
- [Release notes](https://github.com/TooTallNate/once/releases)
- [Changelog](https://github.com/TooTallNate/once/blob/v2.0.1/CHANGELOG.md)
- [Commits](TooTallNate/once@2.0.0...v2.0.1)

Updates `brace-expansion` from 1.1.12 to 1.1.15
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.15)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v9.0.5...v10.2.0)

Updates `next` from 15.5.15 to 15.5.18
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.15...v15.5.18)

Updates `uuid` from 9.0.1 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v9.0.1...v14.0.0)

Updates `postcss` from 8.5.6 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `uuid` from 9.0.1 to 14.0.1
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v9.0.1...v14.0.0)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
  dependency-version: 5.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 0.1.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 0.1.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.18.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.8.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-builder
  dependency-version: 1.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/plugin-transform-modules-systemjs"
  dependency-version: 7.29.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version: 2.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.18
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@babel/plugin-transform-modules-systemjs"
  dependency-version: 7.29.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version: 2.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.18
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies javascript Pull requests that update Javascript code labels Jun 22, 2026
@greptile-apps

greptile-apps Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This is a dependabot-generated dependency bump across four directories (/docs, /examples/docs_projects/project_etl_tutorial/dashboard, /js_modules, /js_modules/app-oss), covering 19 packages including several with security fixes.

  • Security fixes included: node-forge 1.3.3→1.4.0 patches four HIGH CVEs (DoS in BigInteger.modInverse(), RSA-PKCS signature forgery, Ed25519 signature malleability, basicConstraints bypass); postcss 8.5.x→8.5.15 fixes an XSS via unescaped </style>; path-to-regexp 0.1.12→0.1.13 fixes CVE-2026-4867.
  • Lockfile inconsistencies in app-oss: app-oss/package.json now requires next: "^16.2.9" (a major v15→v16 jump not described in the PR) and uuid: "^14.0.1", but js_modules/yarn.lock only resolves next at 15.5.18 and uuid at 14.0.0 — both out of range — causing yarn install --immutable to fail.

Confidence Score: 3/5

Safe to merge the security fixes, but the app-oss workspace changes will break immutable installs until the lockfile is regenerated.

app-oss/package.json introduces a next v15→v16 major-version bump absent from the PR description, with no corresponding lockfile entry — yarn.lock still resolves next at 15.5.18. The uuid constraint is similarly mismatched (manifest says ^14.0.1 but lockfile resolves 14.0.0). Any CI step running yarn install --immutable against the js_modules workspace will fail.

js_modules/app-oss/package.json and js_modules/yarn.lock — the next and uuid manifest ranges are inconsistent with what the lockfile actually resolves.

Important Files Changed

Filename Overview
js_modules/app-oss/package.json Two lockfile mismatches: next bumped to ^16.2.9 (v15→v16 major jump) and uuid bumped to ^14.0.1, but yarn.lock only resolves next@15.5.18 and uuid@14.0.0 — both inconsistent with the new manifest ranges.
js_modules/ui-components/package.json Routine patch/minor bumps: yaml ^2.8.3→^2.8.4, postcss ^8.5.0→^8.5.10 (XSS fix), vite ^7.0.0→^7.3.5. All within semver range, no breaking API changes.
js_modules/ui-core/package.json Routine patch bumps: yaml ^2.8.3→^2.8.4 and vite ^7.0.0→^7.3.5. No breaking changes.
js_modules/yarn.lock Lockfile updated for most packages but missing entries for next@^16.2.9 and uuid@^14.0.1 required by app-oss/package.json; inconsistency will break --immutable installs.
docs/yarn.lock Security and patch updates: node-forge (4 HIGH CVEs fixed), postcss (XSS fix), webpack-dev-server, yaml bumps. All appropriate.
examples/docs_projects/project_etl_tutorial/dashboard/package-lock.json Multiple dependency updates including security fixes (follow-redirects, node-forge, postcss). Routine dependabot lockfile update.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[dependabot PR 33947] --> B[docs yarn.lock]
    A --> C[dashboard package-lock.json]
    A --> D[js_modules yarn.lock]
    A --> E[app-oss package.json]

    B --> B1["node-forge 1.3.3 to 1.4.0 - 4xHIGH CVEs"]
    B --> B2["postcss to 8.5.15 - XSS fix"]
    B --> B3["webpack-dev-server to 5.2.5"]

    C --> C1["follow-redirects to 1.16.0"]
    C --> C2["lodash 4.17.23 to 4.18.1"]
    C --> C3["postcss to 8.5.15"]

    D --> D1["next 15.5.15 to 15.5.18 - lockfile OK"]
    D --> D2["uuid 9.0.1 to 14.0.0 - lockfile OK"]
    D --> D3["vite to 7.3.5"]

    E --> E1["next set to ^16.2.9 - MAJOR v15 to v16 - yarn.lock still 15.5.18"]
    E --> E2["uuid set to ^14.0.1 - yarn.lock resolves 14.0.0 - constraint unsatisfied"]

    style E1 fill:#ff9999,color:#000
    style E2 fill:#ff9999,color:#000
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[dependabot PR 33947] --> B[docs yarn.lock]
    A --> C[dashboard package-lock.json]
    A --> D[js_modules yarn.lock]
    A --> E[app-oss package.json]

    B --> B1["node-forge 1.3.3 to 1.4.0 - 4xHIGH CVEs"]
    B --> B2["postcss to 8.5.15 - XSS fix"]
    B --> B3["webpack-dev-server to 5.2.5"]

    C --> C1["follow-redirects to 1.16.0"]
    C --> C2["lodash 4.17.23 to 4.18.1"]
    C --> C3["postcss to 8.5.15"]

    D --> D1["next 15.5.15 to 15.5.18 - lockfile OK"]
    D --> D2["uuid 9.0.1 to 14.0.0 - lockfile OK"]
    D --> D3["vite to 7.3.5"]

    E --> E1["next set to ^16.2.9 - MAJOR v15 to v16 - yarn.lock still 15.5.18"]
    E --> E2["uuid set to ^14.0.1 - yarn.lock resolves 14.0.0 - constraint unsatisfied"]

    style E1 fill:#ff9999,color:#000
    style E2 fill:#ff9999,color:#000
Loading

Reviews (1): Last reviewed commit: "Bump the npm_and_yarn group across 4 dir..." | Re-trigger Greptile

"eslint-config-next": "^15.3.3",
"graphql": "^16.8.1",
"next": "^15.5.15",
"next": "^16.2.9",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Lockfile out of sync — next@^16.2.9 not resolved in yarn.lock

app-oss/package.json now specifies next: "^16.2.9" (a major-version jump from v15 to v16), but js_modules/yarn.lock only has an entry for "next@npm:^15.5.18" resolving to 15.5.18. The range ^16.2.9 is incompatible with 15.5.18, so yarn install --immutable will fail. The lock file needs to be regenerated to include a next@16.x resolution for the app-oss workspace. Additionally, this is an undocumented major-version bump — the PR description says next goes from 15.5.15 → 15.5.18 but the manifest now requires v16.

"react-dom": "^18.3.1",
"react-is": "^18.3.1",
"react-router": "^5.3.4",
"react-router-dom": "^5.3.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Lockfile constraint mismatch — uuid@^14.0.1 vs resolved 14.0.0

app-oss/package.json now declares uuid: "^14.0.1", but js_modules/yarn.lock resolves "uuid@npm:^14.0.0" to version 14.0.0. Since 14.0.0 < 14.0.1, the resolved version does not satisfy the manifest constraint, and yarn install --immutable will fail for this workspace. The lockfile entry key is ^14.0.0 (likely left from a pre-existing resolution) rather than ^14.0.1, so the lock file was not regenerated after the manifest change.

@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 22, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/docs/npm_and_yarn-613a5413e2 branch June 22, 2026 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants