Skip to content

fix: bump the npm-security group across 1 directory with 18 updates#328

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-security-4ad538871d
Open

fix: bump the npm-security group across 1 directory with 18 updates#328
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-security-4ad538871d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-security group with 1 update in the / directory: nuxt.

Updates nuxt from 4.4.2 to 4.4.8

Release notes

Sourced from nuxt's releases.

v4.4.8

4.4.8 is a hotfix release to address an issue running the dev server on MacOS.

👉 Changelog

compare changes

🩹 Fixes

  • vite: Shorter socket name for macOs with tmp fallback (#35265)
  • kit: Respect type option in findPath (#35272)
  • deps: Update nuxt/scripts presets (905621594)
  • nuxt: Revert unhead dependency back to v2 (e6d578fea)

📖 Documentation

  • Fix many typos (#35266)
  • Explain static fallback pages (#35277)
  • Change null to undefined in data-fetching docs to match actual types (#35301)
  • Fix broken internal links, useAsyncData watch type, and NuxtError type (#35303)

❤️ Contributors

v4.4.7

4.4.7 is a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

  • nitro: Assign noSSR before deciding payload extraction (#35108)
  • vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
  • nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
  • nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
  • nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
  • nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
  • vite: Prefix public asset virtuals with null byte (9e303b438)
  • nuxt: Re-run getCachedData after initial fetch (#35122)
  • nuxt: Propagate useFetch/useAsyncData factory types (#35133)
  • vite: Close vite dev server on nuxt close (a10a68abc)
  • kit,nuxt: Handle cancelling prompts to install packages (e84813229)
  • kit: Avoid excluding node-context files in legacy tsconfig (#35152)
  • nuxt: Handle missing payload in chunkError listener (#35155)
  • nuxt: Await in-lifght template generation when closing nuxt (#35181)
  • nuxt: Clarify page and layout usage warnings (#35184)
  • webpack: Surface compilation errors when stats.toString is empty (073b07851)
  • nuxt: Reject prototype-chain keys in the island registry (#35205)

... (truncated)

Commits
  • 2bfc2c8 v4.4.8
  • e6d578f fix(nuxt): revert unhead dependency back to v2
  • 9056215 fix(deps): update nuxt/scripts presets
  • b7d5790 v4.4.7
  • dbc5896 chore: lint
  • e447a79 fix(nuxt): reject cross-origin paths in reloadNuxtApp
  • d72a89e refactor(nuxt): replace runInNewContext with AST walker
  • 2cce6fb fix(nuxt): block path-normalization open redirect in navigateTo
  • 0103ce0 fix(nuxt): reject script-capable protocols in \<NuxtLink> href
  • 07e39cd fix(nuxt): match route rules case-insensitively to mirror vue-router
  • Additional commits viewable in compare view

Updates brace-expansion from 2.0.1 to 2.1.2

Release notes

Sourced from brace-expansion's releases.

v2.1.1

  • Backport v5.0.6 change to v2 (#109) c3a817c

juliangruber/brace-expansion@v2.1.0...v2.1.1

v2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

  • Correct the types export entry (#160)
  • Export Defu types (#157)

❤️ Contributors

v6.1.6

compare changes

📦 Build

v6.1.5

compare changes

🩹 Fixes

  • Prevent prototype pollution via __proto__ in defaults (#156)
  • Ignore inherited enumerable properties (11ba022)

✅ Tests

  • Add more tests for plain objects (b65f603)

❤️ Contributors

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

  • defu.d.cts: Export Defu types (#157)

📦 Build

  • Correct the types export entry (#160)

❤️ Contributors

v6.1.6

compare changes

📦 Build

❤️ Contributors

v6.1.5

compare changes

🩹 Fixes

  • Prevent prototype pollution via __proto__ in defaults (#156)
  • Ignore inherited enumerable properties (11ba022)

🏡 Chore

✅ Tests

  • Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits
  • 80c0146 chore(release): v6.1.7
  • 40d7ef4 fix(defu.d.cts): export Defu types (#157)
  • 3d3a7c8 build: correct the types export entry (#160)
  • 001c290 chore(release): v6.1.6
  • 407b516 build: fix mixed types
  • 23e59e6 chore(release): v6.1.5
  • 11ba022 fix: ignore inherited enumerable properties
  • 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
  • d3ef16d chore(deps): update actions/checkout action to v6 (#151)
  • 869a053 chore(deps): update actions/setup-node action to v6 (#149)
  • Additional commits viewable in compare view

Updates devalue from 5.6.3 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

  • 206ca67: fix: force sparse arrays to allocate sparsely

v5.8.0

Minor Changes

  • c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

  • 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

  • df2e284: feat: use native alternatives to encode/decode base64
  • 498656e: feat: add DataView support
  • a210130: feat: whitelist Float16Array
  • df2e284: feat: simplify TypedArray slices

Patch Changes

  • 5590634: fix: get uneval type handling up to parity with stringify
  • 57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

  • 206ca67: fix: force sparse arrays to allocate sparsely

5.8.0

Minor Changes

  • c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

  • 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

  • df2e284: feat: use native alternatives to encode/decode base64
  • 498656e: feat: add DataView support
  • a210130: feat: whitelist Float16Array
  • df2e284: feat: simplify TypedArray slices

Patch Changes

  • 5590634: fix: get uneval type handling up to parity with stringify
  • 57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Commits

Updates h3 from 1.15.5 to 1.15.11

Release notes

Sourced from h3's releases.

v1.15.11

compare changes

🏡 Chore

v1.15.10

compare changes

🩹 Fixes

  • Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

v1.15.9

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)
  • static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
  • sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

  • static: Narrow path traversal check to match .. as a path segment only (c049dc0)
  • app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

  • Remove implicit event handler conversion warning (#1340)

❤️ Contributors

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.11

compare changes

🏡 Chore

❤️ Contributors

v1.15.10

compare changes

🩹 Fixes

  • Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

❤️ Contributors

v1.15.9

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)
  • static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
  • sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

❤️ Contributors

... (truncated)

Commits

Updates launch-editor from 2.13.1 to 2.14.1

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for launch-editor since your current version.


Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates minimatch from 5.1.6 to 5.1.9

Commits

Updates node-forge from 1.3.3 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

  • HIGH: Denial of Service in BigInteger.modInverse()
    • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
    • Reported by Kr0emer.
    • CVE ID: CVE-2026-33891
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
    • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
    • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33894
    • GHSA ID: GHSA-ppp5-5v6c-4jwp
  • HIGH: Signature forgery in Ed25519 due to missing S < L check.
    • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33895
    • GHSA ID: GHSA-q67f-28xg-22rw
  • HIGH: basicConstraints bypass in certificate chain verification.
    • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
    • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
    • CVE ID: CVE-2026-33896
    • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates serialize-javascript from 6.0.2 to 7.0.7

Release notes

Sourced from serialize-javascript's releases.

v7.0.7

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.6...v7.0.7

v7.0.6

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.5...v7.0.6

v7.0.5

Fixes

  • Improve robustness and validation for array-like object serialization.
  • Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

  • fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207) 2e609d0
  • build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206) 42b7cdb

yahoo/serialize-javascript@v7.0.2...v7.0.3

v7.0.2

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serialize-javascript since your current version.


Updates shell-quote from 1.8.3 to 1.10.0

Changelog

Sourced from shell-quote's changelog.

v1.10.0 - 2026-07-10

Merged

Commits

  • [Fix] parse: match nested ${...} braces so nested parameter expansion is consumed as one substitution c0842c8
  • [Tests] parse: pin single-quote literalness and unmatched-quote handling a0d03e3
  • [readme] remove the space in js code fences so evalmd evaluates them 2116fa3
  • [Tests] quote: pin conservative escaping of =, @, ^, ,, :, ! (#11) 1c36f3f
  • [readme] document that quote outputs POSIX quoting, not cmd.exe/PowerShell 100e96e
  • [readme] document parse's supported parameter-expansion subset e1c75cd
  • [Fix] parse: a backslash inside single quotes must not escape the closing quote 5d460a3
  • [readme] fix stale example outputs 2de86f5
  • [Tests] quote: pin that a backslash with whitespace is not doubled in single quotes (#14) 190e236
  • [readme] quote: use output verbatim; do not re-quote it (#11) 1b36468
  • [Refactor] parse: fix swapped SINGLE_QUOTE/DOUBLE_QUOTE variable names 801af5c
  • [types] fix an error TS v6 ignores but v7 fails on 59bbf8b
  • [Dev Deps] update @arethetypeswrong/cli, evalmd a04d475
  • [Dev Deps] update @arethetypeswrong/ci, eslint d390f9a
  • [Tests] quote: the tilde test escapes every ~, not just a leading one (#9) 617d119

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

@dependabot dependabot Bot added dependencies PRs and issues related to dependencies triage Issues and PRs that need a review from contributors for further verification labels Jun 28, 2026
@dependabot dependabot Bot requested a review from janbiasi as a code owner June 28, 2026 20:59
@dependabot dependabot Bot added dependencies PRs and issues related to dependencies triage Issues and PRs that need a review from contributors for further verification labels Jun 28, 2026
@socket-security

socket-security Bot commented Jun 28, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm css-tree is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/nuxt@4.4.2npm/css-tree@3.2.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm powershell-utils is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/nuxt@4.4.2npm/powershell-utils@0.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/powershell-utils@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm seroval is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/nuxt@4.4.2npm/seroval@1.5.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Bumps the npm-security group with 1 update in the / directory: [nuxt](https://github.com/nuxt/nuxt/tree/HEAD/packages/nuxt).


Updates `nuxt` from 4.4.2 to 4.4.8
- [Release notes](https://github.com/nuxt/nuxt/releases)
- [Commits](https://github.com/nuxt/nuxt/commits/v4.4.8/packages/nuxt)

Updates `brace-expansion` from 2.0.1 to 2.1.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v2.0.1...v2.1.2)

Updates `defu` from 6.1.4 to 6.1.7
- [Release notes](https://github.com/unjs/defu/releases)
- [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md)
- [Commits](unjs/defu@v6.1.4...v6.1.7)

Updates `devalue` from 5.6.3 to 5.8.1
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.3...v5.8.1)

Updates `h3` from 1.15.5 to 1.15.11
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.11/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.5...v1.15.11)

Updates `launch-editor` from 2.13.1 to 2.14.1
- [Commits](vitejs/launch-editor@v2.13.1...v2.14.1)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `minimatch` from 5.1.6 to 5.1.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v5.1.6...v5.1.9)

Updates `node-forge` from 1.3.3 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.3...v1.4.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `serialize-javascript` from 6.0.2 to 7.0.7
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.7)

Updates `shell-quote` from 1.8.3 to 1.10.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.10.0)

Updates `simple-git` from 3.33.0 to 3.36.0
- [Release notes](https://github.com/steveukx/git-js/releases)
- [Changelog](https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md)
- [Commits](https://github.com/steveukx/git-js/commits/simple-git@3.36.0/simple-git)

Updates `srvx` from 0.11.12 to 0.11.21
- [Release notes](https://github.com/h3js/srvx/releases)
- [Changelog](https://github.com/h3js/srvx/blob/main/CHANGELOG.md)
- [Commits](h3js/srvx@v0.11.12...v0.11.21)

Updates `tar` from 7.5.9 to 7.5.19
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.9...v7.5.19)

Updates `unhead` from 2.1.12 to 2.1.15
- [Release notes](https://github.com/unjs/unhead/releases)
- [Commits](https://github.com/unjs/unhead/commits/v2.1.15/packages/unhead)

Updates `ws` from 8.19.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.0)

Updates `yaml` from 2.8.2 to 2.8.4
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.8.4)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 2.1.1
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: defu
  dependency-version: 6.1.7
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: devalue
  dependency-version: 5.8.1
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: h3
  dependency-version: 1.15.11
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: launch-editor
  dependency-version: 2.14.1
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: minimatch
  dependency-version: 5.1.9
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: nuxt
  dependency-version: 4.4.8
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: serialize-javascript
  dependency-version: 7.0.6
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: simple-git
  dependency-version: 3.36.0
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: srvx
  dependency-version: 0.11.17
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: tar
  dependency-version: 7.5.19
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: unhead
  dependency-version: 2.1.15
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: yaml
  dependency-version: 2.8.4
  dependency-type: indirect
  dependency-group: npm-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-security-4ad538871d branch from 5882ce5 to b73e440 Compare July 11, 2026 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies PRs and issues related to dependencies triage Issues and PRs that need a review from contributors for further verification

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants