Bump the npm_and_yarn group across 6 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
next	15.2.3	15.5.10
rollbar	2.26.4	2.26.5
valibot	0.38.0	1.2.0
axios	1.8.4	1.13.5
base-x	5.0.0	5.0.1
h3	1.9.0	1.15.5
lodash	4.17.21	4.17.23
node-forge	1.3.1	1.3.3
qs	6.11.1	6.15.0
sha.js	2.4.11	2.4.12
tar-fs	2.1.1	2.1.4
vite	5.4.14	5.4.21

Bumps the npm_and_yarn group with 1 update in the /deploy/tools/affected-tests directory: brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /deploy/tools/envs-validator directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /deploy/tools/favicon-generator directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /deploy/tools/feature-reporter directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /theme directory: webpack.

Updates next from 15.2.3 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• c5de33e v15.5.9
• dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
• 7526cd6 v15.5.8
• 1e9ec41 Update React Version (#41)
• 16141e5 Update React Version (#30)
• e01e589 Backport Next.js changes to v15.5.8 (#23)
• Additional commits viewable in compare view

Updates rollbar from 2.26.4 to 2.26.5

Release notes

Sourced from rollbar's releases.

v2.26.5

Prototype pollution prevention, rollbar/rollbar.js#1394

Commits

• f4c7c72 Release 2.26.5 (#1395)
• d717def prototype pollution prevention (#1394)
• 6051042 Merge pull request #1159 from rollbar/upgrade-grunt-and-karma
• ff89ff0 Upgrade dev depenencies grunt and karma
• c370db7 Merge pull request #1158 from rollbar/upgrade-express
• 8069c9a Upgrade requirejs
• 3e02dc0 Upgrade more dependencies
• 65d1388 Upgrade express
• 82efa18 Merge pull request #1147 from rollbar/update-angular-example
• ee0d636 Merge branch 'master' into update-angular-example
• Additional commits viewable in compare view

Updates valibot from 0.38.0 to 1.2.0

Release notes

Sourced from valibot's releases.

v1.2.0

Many thanks to @​EskiMojo14, @​makenowjust, @​ysknsid25 and @​jacekwilczynski for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add toBigint, toBoolean, toDate, toNumber and toString transformation actions (pull request #1212)
• Add examples action to add example values to a schema (pull request #1199)
• Add getExamples method to extract example values from a schema (pull request #1199)
• Add isbn validation action to validate ISBN-10 and ISBN-13 strings (pull request #1097)
• Add exports for RawCheckAddIssue, RawCheckContext, RawCheckIssueInfo, RawTransformAddIssue, RawTransformContext and RawTransformIssueInfo types for better developer experience with rawCheck and rawTransform actions (pull request #1359)
• Change build step to tsdown
• Fix ReDoS vulnerability in EMOJI_REGEX used by emoji action

v1.2.0 (to-json-schema)

Many thanks to @​cruzdanilo and @​Xiot for contributing to this release.

• Add support for title, description and examples in metadata action (pull request #1189)
• Add new override configurations to override default behaviour of JSON Schema conversion (pull request #1197)
• Add storage for global definitions with addGlobalDefs and getGlobalDefs (pull request #1197)
• Add new toJsonSchemaDefs function to convert Valibot schema definitions to JSON Schema definitions (pull request #1197)

v1.1.0

Many thanks to @​EltonLobo07, @​sacrosanctic, @​muningis, @​EskiMojo14, @​MOZGIII, @​vktrl and @​jasperteo for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add message method to overwrite local error message configuration of a schema (pull request #1103)
• Add summarize method to summarize issues into a pretty-printable multi-line string (pull request #1158)
• Add getTitle, getDescription and getMetadata methods to extract metadata of a schema (pull request #1154)
• Add minEntries and maxEntries validation action to validate number of object entries (pull request #1100)
• Add entries and notEntries validation action to validate number of object entries (pull request #1156)
• Add parseJson and stringifyJson transformation action to parse and stringify JSON (pull request #1137)
• Add flavor transformation action to flavor the output type of a schema (pull request #950)
• Add support for bigints to multipleOf validation action (pull request #1164)
• Change implementation of variant and variantAsync schema to improve performance by aborting validation of discriminators early (pull request #1110)
• Change name of NanoIDAction and NanoIDIssue interface to NanoIdAction and NanoIdIssue (pull request #1171)
• Fix internal MarkOptional type to fix input and output type of objects in edge cases (issue #1176)

v1.1.0 (to-json-schema)

Many thanks to @​sruenwg, @​muningis and @​EltonLobo07 for contributing to this release.

• Add support for minEntries and maxEntries action (pull request #1100)
• Add support for entries action (pull request #1156)
• Change Valibot peer dependency to v1.1.0
• Fix toJsonSchema to be independent of definition order (pull request #1133)
• Fix additionalItems for tuple schemas and add minItems (pull request #1126)

v1.0.0

This is a summary of the changes between v0 and v1. Many thanks to everyone who contributed to this release.

... (truncated)

Commits

• 053ae97 Bump version to 1.2.0 and update changelog
• de76d7c Merge pull request #1361 from open-circle/v1.2-blog-post
• c14f092 Add security fix for ReDoS vulnerability in emoji action and update release n...
• cfb799d Merge commit from fork
• 36fafd0 Add release notes blog post for Valibot v1.2 to website
• 83c07ca Merge pull request #1097 from ysknsid25/feat/add-isbn-validation
• 6957e0d Add beta annotation to JSDoc comment of isbn action
• 6c7f9c0 Add docs for new isbn action to website
• ca902e6 Refactor ISBN regex constants and update validation logic
• e7a4f17 Refactor and improve new isbn action and update changelog
• Additional commits viewable in compare view

Updates axios from 1.8.4 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates base-x from 5.0.0 to 5.0.1

Commits

• b7b0cec 5.0.1
• e4cb9b0 Merge pull request #86 from steveluscher/prohibit-high-char-codes
• 831716a Prohibit char codes that would overflow the BASE_MAP
• 64e196c Merge pull request #81 from steveluscher/this-but-faster
• 261fb36 Improve decoding performance
• 39f2673 Merge pull request #83 from cryptocoinjs/bumpv5
• See full diff in compare view

Updates h3 from 1.9.0 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

v1.15.4

compare changes

🩹 Fixes

• getRequestHost: Return first host from x-forwarded-host (#1175)

💅 Refactors

• useSession: Backport SessionManager interface to fix types (#1058)

🏡 Chore

• docs: Fix typos (#1108)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)
• Izoukhai (@​izoukhai)

v1.15.3

compare changes

🩹 Fixes

• serveStatic: Omit decoded id from statusMessage (#1044)

v1.15.2

compare changes

🩹 Fixes

• Handle FormData body (3757072 f38dd03 0c9b276)
• cache: Correct comparison in cache headers (#1034)
• Handle Headers when merging proxy headers (#1027)
• setCookie: Unique by name, domain, and path only (#1042)

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

• Update deps (e2462ec)
• Update ci (c934599)
• Add test:types script (0a4a115)
• Update ci (b4dce71)
• Update publish tag to 1.x (589625c)
• Fix ts issue (c9ebf80)
• Update deps (d18c074)
• Fix more ts/lint issues (bd92b74)

🤖 CI

• Fix publish tag (401c9b8)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.4

compare changes

🩹 Fixes

• serveStatic: Omit decoded id from statusMessage (#1044)
• getRequestHost: Return first host from x-forwarded-host (#1175)

💅 Refactors

• useSession: Backport SessionManager interface to fix types (#1058)

📦 Build

• Update repository field (d94b09a)

🏡 Chore

• release: V1.15.3 (3d0f4d5)
• docs: Fix typos (#1108)
• Apply automated updates (774956a)
• Update deps (18d0bb7)

... (truncated)

Commits

• 24231b9 chore(release): v1.15.5
• bd92b74 chore: fix more ts/lint issues
• d18c074 chore: update deps
• c9ebf80 chore: fix ts issue
• 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
• 401c9b8 ci: fix publish tag
• 589625c chore: update publish tag to 1.x
• b4dce71 chore: update ci
• 0a4a115 chore: add test:types script
• c934599 chore: update ci
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates qs from 6.11.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys

... (truncated)

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates sha.js from 2.4.11 to 2.4.12

Changelog

Sourced from sha.js's changelog.

v2.4.12 - 2025-07-01

Commits

• [eslint] switch to eslint 7acadfb
• [meta] add auto-changelog b46e711
• [eslint] fix package.json indentation df9d521
• [Tests] migrate from travis to GHA c43c64a
• [Fix] support multi-byte wide typed arrays f2a258e
• [meta] reorder package.json d8d77c0
• [meta] add npmignore 35aec35
• [Tests] avoid console logs 73e33ae
• [Tests] fix tests run in batch 2629130
• [Tests] drop node requirement to 0.10 00c7f23
• [Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5
• [Tests] drop node requirement to v3 9b5eca8
• [meta] set engines to >= 4 807084c
• Only apps should have lockfiles c72789c
• [Deps] update inherits, safe-buffer 5428cfc
• [Dev Deps] update @ljharb/eslint-config 2dbe0aa
• update README to reflect LICENSE 8938256
• [Dev Deps] add missing peer dep d528896
• [Dev Deps] remove unused buffer dep 94ca724

Commits

• eb4ea2f v2.4.12
• d8d77c0 [meta] reorder package.json
• df9d521 [eslint] fix package.json indentation
• 35aec35 [meta] add npmignore
• d528896 [Dev Deps] add missing peer dep
• b46e711 [meta] add auto-changelog
• 94ca724 [Dev Deps] remove unused buffer dep
• 2dbe0aa [Dev Deps] update @ljharb/eslint-config
• 73e33ae [Tests] avoid console logs
• f2a258e [Fix] support multi-byte wide typed arrays
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for sha.js since your current version.

Updates tar-fs from 2.1.1 to 2.1.4

Commits

• f421a23 2.1.4
• c412fa1 refactor to same pattern as v3
• 4b7e868 2.1.3
• 266194b hardlink tweak from main
• d97731b 2.1.2
• fd1634e symlink tweak from main
• See full diff in compare view

Updates vite from 5.4.14 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (<...

  Description has been truncated