chore(deps): update dependencies to address CVEs

[tomkdgun]

Description

This PR addresses multiple dependency security vulnerabilities identified by Mend by updating affected packages to their latest secure versions. The PR was open because according to @ruanyl there is some technical problem with delivering few pull requests created by MEND/dependabot.

High Severity

• CVE-2026-48779 - Detected in ws-8.20.1.tgz, ws-7.5.10.tgz (CVE-2026-48779 (High) detected in ws-8.20.1.tgz, ws-7.5.10.tgz #12251)
• CVE-2026-54290 - Detected in hono-4.12.23.tgz (CVE-2026-54290 (High) detected in hono-4.12.23.tgz #12249)
• CVE-2026-12143 - Detected in form-data-4.0.5.tgz (CVE-2026-12143 (High) detected in form-data-4.0.5.tgz #12247)

Medium Severity

• CVE-2026-48988 - Detected in markdown-it-14.1.1.tgz (CVE-2026-48988 (Medium) detected in markdown-it-14.1.1.tgz #12250)
• CVE-2026-54289 - Detected in hono-4.12.23.tgz (CVE-2026-54289 (Medium) detected in hono-4.12.23.tgz #12248)
• CVE-2026-54286 - Detected in hono-4.12.23.tgz (CVE-2026-54286 (Medium) detected in hono-4.12.23.tgz #12246)
• CVE-2026-54288 - Detected in hono-4.12.23.tgz (CVE-2026-54288 (Medium) detected in hono-4.12.23.tgz #12244)
• CVE-2026-53550 - Detected in js-yaml-4.1.1.tgz (CVE-2026-53550 (Medium) detected in js-yaml-4.1.1.tgz #12243)
• CVE-2026-54287 - Detected in hono-4.12.23.tgz (CVE-2026-54287 (Medium) detected in hono-4.12.23.tgz #12242)
• CVE-2026-53655 - Detected in tar-7.5.11.tgz (CVE-2026-53655 (Medium) detected in tar-7.5.11.tgz #12240)

Changes Made

• tar: Updated to 7.5.16
• form-data: Updated to 4.0.6
• ws: Updated to 8.21.0 and 7.5.11
• js-yaml: Updated to 4.2.0
• markdown-it: Updated to 14.2.0
• hono: Updated to 4.12.25

Issues Resolved

closes #12240
closes #12242
closes #12243
closes #12244
closes #12246
closes #12247
closes #12248
closes #12249
closes #12250
closes #12251

After this PR will be merged pull request below will be obsolete and can be closed:
#12225
#12226
#12227
#12228
#12253
#12254

Screenshot

Testing the changes

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Commits are signed per the DCO using --signoff

[github-actions]

🔗 Workflow run · commit f307a3d2b5aa4939fa675a4bd313d82e35155dbb

❌ 1 Jest Test Failure(s)

📄 junit-jest-group4-Windows/TEST-Jest Tests.xml

❌ Query Actions - Comprehensive Test Suite abortAllActiveQueries should abort all active queries and clear controllers (0.008s)

Jest Tests.src\plugins\explore\public\application\utils\state_management\actions

Error: expect(received).toMatchInlineSnapshot(snapshot)

Snapshot name: `logs using level: option 1`

- Snapshot  - 0
+ Received  + 2

  Array [
    " info $ <nodedir>\\node.exe -e console.log(\"hi\")",
+   " info $ <nodedir>\\node.exe -e console.log(\"hi\")",
  … (5 more lines)

---

1 failure(s) across 1 suite(s). Full XML reports are in the junit-jest-* artifacts.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit f307a3d.

Path	Line	Severity	Description
package.json	143	high	Dependency version change: form-data bumped from ^4.0.4 to ^4.0.6. Maintainers must verify artifact authenticity on the registry.
package.json	161	high	Dependency version change: js-yaml (overrides) bumped from ^4.1.1 to ^4.2.0. Maintainers must verify artifact authenticity on the registry.
package.json	267	high	Dependency version change: js-yaml (dependencies) bumped from ^4.1.1 to ^4.2.0. Maintainers must verify artifact authenticity on the registry.
package.json	301	high	Dependency version change: tar bumped from ^7.5.10 to ^7.5.16. Maintainers must verify artifact authenticity on the registry.
package.json	387	high	Dependency version change: @types/js-yaml bumped from ^4.0.5 to ^4.0.9. Maintainers must verify artifact authenticity on the registry.
package.json	498	high	Dependency version change: markdown-it bumped from ^14.1.1 to ^14.2.0. Maintainers must verify artifact authenticity on the registry.
packages/osd-agents/package.json	35	high	Dependency version change: ws bumped from ^8.20.1 to ^8.21.0. Maintainers must verify artifact authenticity on the registry.
yarn.lock	12648	high	Resolved version change: hono updated from 4.12.23 to 4.12.25 with new integrity hash. Maintainers must verify artifact authenticity on the registry.
yarn.lock	14976	high	Resolved version change: linkify-it updated from 5.0.0 to 5.0.1 with new integrity hash. Maintainers must verify artifact authenticity on the registry.
yarn.lock	22205	high	Resolved version change: ws 7.x updated from 7.5.10 to 7.5.11 with new integrity hash. Maintainers must verify artifact authenticity on the registry.

The table above displays the top 10 most important findings.

Total: 11 | Critical: 0 | High: 11 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.