Skip to content

Bump the npm_and_yarn group across 1 directory with 6 updates#832

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-20dcec0bad
Closed

Bump the npm_and_yarn group across 1 directory with 6 updates#832
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-20dcec0bad

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 9, 2026
edited
Loading

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
srvx 0.8.9 0.11.15
fast-xml-parser 4.4.1 5.7.2
form-data 2.5.3 2.5.5
jws 4.0.0 4.0.1
minimatch 9.0.5 9.0.9
minimatch 3.1.2 3.1.5

Updates srvx from 0.8.9 to 0.11.15

Release notes

Sourced from srvx's releases.

v0.11.15

compare changes

🩹 Fixes

  • node/web: Do not swallow getReader errors (#199)

❤️ Contributors

v0.11.14

compare changes

🩹 Fixes

  • node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

v0.11.13

compare changes

🩹 Fixes

  • url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

🩹 Fixes

  • node: Improve pipeBody stability and performance (4051f22)

v0.11.11

compare changes

🩹 Fixes

v0.11.10

compare changes

🩹 Fixes

  • node: Handle error and abort propagation for piped Node.js streams (77f879b)
  • node: Fallback to socket address on invalid Host header (#192)

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.15

compare changes

🩹 Fixes

  • node/web: Do not swallow getReader errors (#199)

❤️ Contributors

v0.11.14

compare changes

🩹 Fixes

  • node: Handle EADDRINUSE port conflict on serve (#197)

🏡 Chore

❤️ Contributors

v0.11.13

compare changes

🩹 Fixes

  • url: Deopt absolute URIs in FastURL (de0d699)

🏡 Chore

❤️ Contributors

v0.11.12

... (truncated)

Commits

Updates fast-xml-parser from 4.4.1 to 5.7.2

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to use entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

  • No API change
  • No change in performance for basic usage
  • No typing change
  • No config change
  • new dependency
  • breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3 / 2006-05-05

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

5.7.2 / 2026-04-25

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

  • fix typo in CJS typing file

5.7.0 / 2026-04-17

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to user entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

  • fix: entity replacement for numeric entities
  • use @​nodable/entities to replace entities
    • this may change some error messages related to entities expansion limit or inavlid use
    • post check would be exposed in future version

5.5.12 / 2026-04-13

  • Performance Improvement: update path-expression-matcher
    • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

  • Performance Improvement
    • integrate ExpressionSet for stopNodes

... (truncated)

Commits
  • b1d5b90 update releas info
  • 78571ae tests for long tag expression
  • ebaedc0 allow numerical external entities for backward compatibility
  • 91245eb update changelog
  • 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
  • d6bce3b allow long attribute expressions
  • 9a2561b remove unnecessary
  • 0f08303 fix typo
  • f529642 update to release v5.7.0
  • 52a8583 Revert "improve performance of attributes reading"
  • Additional commits viewable in compare view

Updates @smithy/config-resolver from 4.0.1 to 4.4.17

Release notes

Sourced from @​smithy/config-resolver's releases.

@​smithy/config-resolver@​4.4.17

Patch Changes

  • Updated dependencies [449ba5a]
    • @​smithy/util-endpoints@​3.4.2
Changelog

Sourced from @​smithy/config-resolver's changelog.

4.4.17

Patch Changes

  • Updated dependencies [449ba5a]
    • @​smithy/util-endpoints@​3.4.2

4.4.16

Patch Changes

  • Updated dependencies [5a18069]
  • Updated dependencies [cb76b1f]
  • Updated dependencies [131fce4]
  • Updated dependencies [52b4789]
  • Updated dependencies [b4a8b6b]
    • @​smithy/util-endpoints@​3.4.1
    • @​smithy/types@​4.14.1
    • @​smithy/node-config-provider@​4.3.14
    • @​smithy/util-middleware@​4.2.14

4.4.15

Patch Changes

  • Updated dependencies [8196133]
  • Updated dependencies [2490c8c]
    • @​smithy/util-endpoints@​3.4.0

4.4.14

Patch Changes

  • Updated dependencies [cffd868]
    • @​smithy/types@​4.14.0
    • @​smithy/node-config-provider@​4.3.13
    • @​smithy/util-endpoints@​3.3.4
    • @​smithy/util-middleware@​4.2.13

4.4.13

Patch Changes

  • b1f0dba: fix(middleware-endpoint): update type of useDualStackEndpoint/useFipsEndpoint input config fix(config-resolver): add alternate values for NODE_USE_DUALSTACK_ENDPOINT_CONFIG_OPTIONS and NODE_USE_FIPS_ENDPOINT_CONFIG_OPTIONS

4.4.12

Patch Changes

... (truncated)

Commits
  • c077b47 Version NPM packages
  • a519430 Version NPM packages
  • 77e352f Version NPM packages
  • c01e9df Version NPM packages
  • a35b0ac chore: use dist-es for rollup build of dist-cjs (#1942)
  • ab5df4e docs: update readmes for internal packages (#1932)
  • 9328be2 Version NPM packages
  • b1f0dba fix(config-resolver): add new config selectors (#1927)
  • e3a0f6f Version NPM packages
  • 4b5602d fix(config-resolver): update default value to undefined for dualstack/FIPS co...
  • Additional commits viewable in compare view

Updates form-data from 2.5.3 to 2.5.5

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

  • [meta] actually ensure the readme backup isn’t published 10626c0
  • [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

Commits

  • [eslint] update linting config 8bf2492
  • [meta] add auto-changelog b5101ad
  • [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
  • [Fix] Switch to using crypto random for boundary values b88316c
  • [Fix] validate boundary type in setBoundary() method 131ae5e
  • [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
  • [Refactor] use hasown 97ac9c2
  • [meta] remove local commit hooks be99d4e
  • [Dev Deps] remove unused deps ddbc89b
  • [meta] fix scripts to use prepublishOnly e351a97
  • [Dev Deps] remove unused script 8f23366
  • [Dev Deps] add missing peer dep 02ff026
  • [meta] fix readme capitalization 2fd5f61
Commits
  • 40de5a7 v2.5.5
  • 026abe5 [Fix] use proper dependency
  • 10626c0 [meta] actually ensure the readme backup isn’t published
  • efe6c26 v2.5.4
  • c97cfbe [Tests] Switch to newer v8 prediction library; enable node 24 testing
  • 0e93122 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
  • b88316c [Fix] Switch to using crypto random for boundary values
  • b70869d [Fix] append: avoid a crash on nullish values
  • 131ae5e [Fix] validate boundary type in setBoundary() method
  • 8bf2492 [eslint] update linting config
  • Additional commits viewable in compare view
Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.


Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.
Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

  • BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

  • Code reorganization, thanks [@​fearphage]! (7880050)

Added

  • Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits
  • 34c45b2 Merge commit from fork
  • 49bc39b version 4.0.1
  • d42350c Enhance tests for HMAC streaming sign and verify
  • 5cb007c Improve secretOrKey initialization in VerifyStream
  • f9a2e1c Improve secret handling in SignStream
  • b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
  • 95b75ee Upload OpsLevel YAML
  • 8857ee7 test: remove unused variable (#96)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.


Updates minimatch from 9.0.5 to 9.0.9

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 6 updates
356755a 
Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [srvx](https://github.com/h3js/srvx) | `0.8.9` | `0.11.15` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `4.4.1` | `5.7.2` |
| [form-data](https://github.com/form-data/form-data) | `2.5.3` | `2.5.5` |
| [jws](https://github.com/brianloveswords/node-jws) | `4.0.0` | `4.0.1` |
| [minimatch](https://github.com/isaacs/minimatch) | `9.0.5` | `9.0.9` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |



Updates `srvx` from 0.8.9 to 0.11.15
- [Release notes](https://github.com/h3js/srvx/releases)
- [Changelog](https://github.com/h3js/srvx/blob/main/CHANGELOG.md)
- [Commits](h3js/srvx@v0.8.9...v0.11.15)

Updates `fast-xml-parser` from 4.4.1 to 5.7.2
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v4.4.1...v5.7.2)

Updates `@smithy/config-resolver` from 4.0.1 to 4.4.17
- [Release notes](https://github.com/smithy-lang/smithy-typescript/releases)
- [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/@smithy/config-resolver@4.4.17/packages/config-resolver/CHANGELOG.md)
- [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.17/packages/config-resolver)

Updates `form-data` from 2.5.3 to 2.5.5
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v2.5.3...v2.5.5)

Updates `jws` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/brianloveswords/node-jws/releases)
- [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jws@v4.0.0...v4.0.1)

Updates `minimatch` from 9.0.5 to 9.0.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

---
updated-dependencies:
- dependency-name: srvx
  dependency-version: 0.11.15
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.7.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@smithy/config-resolver"
  dependency-version: 4.4.17
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 2.5.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: jws
  dependency-version: 4.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 9.0.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 9, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 9, 2026

⚠️ No Changeset found

Latest commit: 356755a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 9, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​google-cloud/​storage@​7.15.2 ⏵ 7.19.093100100 +184100
Updatedsrvx@​0.8.9 ⏵ 0.11.15100 +1100 +296 -392 -1100
Updated@​aws-sdk/​client-s3@​3.758.0 ⏵ 3.1045.098 +1100100 +198100

View full report

@Murderlon
Copy link
Copy Markdown
Collaborator

Murderlon commented May 9, 2026

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 9, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 9, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-20dcec0bad branch May 9, 2026 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Murderlon