Skip to content

Bump the npm_and_yarn group across 1 directory with 5 updates#834

Merged
Murderlon merged 3 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-f91475176b
May 9, 2026
Merged

Bump the npm_and_yarn group across 1 directory with 5 updates#834
Murderlon merged 3 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-f91475176b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 9, 2026

Bumps the npm_and_yarn group with 4 updates in the / directory: fast-xml-parser, form-data, jws and minimatch.

Updates fast-xml-parser from 4.4.1 to 5.7.2

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to use entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

  • No API change
  • No change in performance for basic usage
  • No typing change
  • No config change
  • new dependency
  • breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3 / 2006-05-05

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

5.7.2 / 2026-04-25

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

  • fix typo in CJS typing file

5.7.0 / 2026-04-17

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to user entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

  • fix: entity replacement for numeric entities
  • use @​nodable/entities to replace entities
    • this may change some error messages related to entities expansion limit or inavlid use
    • post check would be exposed in future version

5.5.12 / 2026-04-13

  • Performance Improvement: update path-expression-matcher
    • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

  • Performance Improvement
    • integrate ExpressionSet for stopNodes

... (truncated)

Commits
  • b1d5b90 update releas info
  • 78571ae tests for long tag expression
  • ebaedc0 allow numerical external entities for backward compatibility
  • 91245eb update changelog
  • 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
  • d6bce3b allow long attribute expressions
  • 9a2561b remove unnecessary
  • 0f08303 fix typo
  • f529642 update to release v5.7.0
  • 52a8583 Revert "improve performance of attributes reading"
  • Additional commits viewable in compare view

Updates @smithy/config-resolver from 4.0.1 to 4.4.17

Release notes

Sourced from @​smithy/config-resolver's releases.

@​smithy/config-resolver@​4.4.17

Patch Changes

  • Updated dependencies [449ba5a]
    • @​smithy/util-endpoints@​3.4.2
Changelog

Sourced from @​smithy/config-resolver's changelog.

4.4.17

Patch Changes

  • Updated dependencies [449ba5a]
    • @​smithy/util-endpoints@​3.4.2

4.4.16

Patch Changes

  • Updated dependencies [5a18069]
  • Updated dependencies [cb76b1f]
  • Updated dependencies [131fce4]
  • Updated dependencies [52b4789]
  • Updated dependencies [b4a8b6b]
    • @​smithy/util-endpoints@​3.4.1
    • @​smithy/types@​4.14.1
    • @​smithy/node-config-provider@​4.3.14
    • @​smithy/util-middleware@​4.2.14

4.4.15

Patch Changes

  • Updated dependencies [8196133]
  • Updated dependencies [2490c8c]
    • @​smithy/util-endpoints@​3.4.0

4.4.14

Patch Changes

  • Updated dependencies [cffd868]
    • @​smithy/types@​4.14.0
    • @​smithy/node-config-provider@​4.3.13
    • @​smithy/util-endpoints@​3.3.4
    • @​smithy/util-middleware@​4.2.13

4.4.13

Patch Changes

  • b1f0dba: fix(middleware-endpoint): update type of useDualStackEndpoint/useFipsEndpoint input config fix(config-resolver): add alternate values for NODE_USE_DUALSTACK_ENDPOINT_CONFIG_OPTIONS and NODE_USE_FIPS_ENDPOINT_CONFIG_OPTIONS

4.4.12

Patch Changes

... (truncated)

Commits
  • c077b47 Version NPM packages
  • a519430 Version NPM packages
  • 77e352f Version NPM packages
  • c01e9df Version NPM packages
  • a35b0ac chore: use dist-es for rollup build of dist-cjs (#1942)
  • ab5df4e docs: update readmes for internal packages (#1932)
  • 9328be2 Version NPM packages
  • b1f0dba fix(config-resolver): add new config selectors (#1927)
  • e3a0f6f Version NPM packages
  • 4b5602d fix(config-resolver): update default value to undefined for dualstack/FIPS co...
  • Additional commits viewable in compare view

Updates form-data from 2.5.3 to 2.5.5

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

  • [meta] actually ensure the readme backup isn’t published 10626c0
  • [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

Commits

  • [eslint] update linting config 8bf2492
  • [meta] add auto-changelog b5101ad
  • [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
  • [Fix] Switch to using crypto random for boundary values b88316c
  • [Fix] validate boundary type in setBoundary() method 131ae5e
  • [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
  • [Refactor] use hasown 97ac9c2
  • [meta] remove local commit hooks be99d4e
  • [Dev Deps] remove unused deps ddbc89b
  • [meta] fix scripts to use prepublishOnly e351a97
  • [Dev Deps] remove unused script 8f23366
  • [Dev Deps] add missing peer dep 02ff026
  • [meta] fix readme capitalization 2fd5f61
Commits
  • 40de5a7 v2.5.5
  • 026abe5 [Fix] use proper dependency
  • 10626c0 [meta] actually ensure the readme backup isn’t published
  • efe6c26 v2.5.4
  • c97cfbe [Tests] Switch to newer v8 prediction library; enable node 24 testing
  • 0e93122 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
  • b88316c [Fix] Switch to using crypto random for boundary values
  • b70869d [Fix] append: avoid a crash on nullish values
  • 131ae5e [Fix] validate boundary type in setBoundary() method
  • 8bf2492 [eslint] update linting config
  • Additional commits viewable in compare view
Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.


Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.
Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

  • BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

  • Code reorganization, thanks [@​fearphage]! (7880050)

Added

  • Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits
  • 34c45b2 Merge commit from fork
  • 49bc39b version 4.0.1
  • d42350c Enhance tests for HMAC streaming sign and verify
  • 5cb007c Improve secretOrKey initialization in VerifyStream
  • f9a2e1c Improve secret handling in SignStream
  • b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
  • 95b75ee Upload OpsLevel YAML
  • 8857ee7 test: remove unused variable (#96)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.


Updates minimatch from 9.0.5 to 9.0.9

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 5 updates
69e062d 
Bumps the npm_and_yarn group with 4 updates in the / directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser), [form-data](https://github.com/form-data/form-data), [jws](https://github.com/brianloveswords/node-jws) and [minimatch](https://github.com/isaacs/minimatch).


Updates `fast-xml-parser` from 4.4.1 to 5.7.2
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v4.4.1...v5.7.2)

Updates `@smithy/config-resolver` from 4.0.1 to 4.4.17
- [Release notes](https://github.com/smithy-lang/smithy-typescript/releases)
- [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/@smithy/config-resolver@4.4.17/packages/config-resolver/CHANGELOG.md)
- [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.17/packages/config-resolver)

Updates `form-data` from 2.5.3 to 2.5.5
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v2.5.3...v2.5.5)

Updates `jws` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/brianloveswords/node-jws/releases)
- [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jws@v4.0.0...v4.0.1)

Updates `minimatch` from 9.0.5 to 9.0.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.7.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@smithy/config-resolver"
  dependency-version: 4.4.17
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 2.5.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: jws
  dependency-version: 4.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 9.0.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 9, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 9, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 8b0b3e0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@tus/s3-store Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 9, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​google-cloud/​storage@​7.15.2 ⏵ 7.19.093100100 +184100
Updated@​aws-sdk/​client-s3@​3.758.0 ⏵ 3.1045.098 +1100100 +198100

View full report

Murderlon
Murderlon reviewed May 9, 2026
View reviewed changes
Comment thread packages/gcs-store/package.json Outdated
@Murderlon Murderlon merged commit 8c1c03a into main May 9, 2026
4 checks passed
@Murderlon Murderlon deleted the dependabot/npm_and_yarn/npm_and_yarn-f91475176b branch May 9, 2026 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Murderlon Murderlon Murderlon left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Murderlon