Skip to content

Bump the npm_and_yarn group across 1 directory with 10 updates#1

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-e3ee652008
Open

Bump the npm_and_yarn group across 1 directory with 10 updates#1
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-e3ee652008

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 5, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
moment 2.29.2 2.29.4
ajv 6.12.6 6.15.0
axios 0.19.2 1.17.0
lodash 4.17.21 4.18.1
minimist 1.2.5 1.2.8

Updates moment from 2.29.2 to 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

  • Release Jul 6, 2022
    • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

  • Release Apr 17, 2022
    • #5995 [bugfix] Remove const usage
    • #5990 misc: fix advisory link
Commits

Updates @octokit/plugin-paginate-rest from 2.17.0 to 14.0.0

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v14.0.0

14.0.0 (2025-10-31)

Features

  • add immutable releases, enterprise team membership, enterprise team organization endpoints (413e899)

BREAKING CHANGES

  • Remove GET /projects/{project_id}/columns
  • Remove GET /enterprises/{enterprise}/secret-scanning/alerts

v13.2.1

13.2.1 (2025-10-20)

Bug Fixes

v13.2.0

13.2.0 (2025-09-29)

Features

  • new Projects v2 endpoints, new code scanning dismissal endpoints, many other endpoints (#690) (0e236cb)

v13.1.1

13.1.1 (2025-06-27)

Bug Fixes

  • handle url in response when using pagination with compareCommits (#686) (8e5da25)

v13.1.0

13.1.0 (2025-06-16)

Features

  • add paginatantion support for compareCommits and compareCommitsWithBasehead (#678) (6d8ea8a)

v13.0.1

13.0.1 (2025-05-25)

... (truncated)

Commits
  • 413e899 feat: add immutable releases, enterprise team membership, enterprise team org...
  • 3d311d6 chore(deps): update dependency @​types/node to v24 (#701)
  • ba56fbc fix(deps): update @octokit/types (#698)
  • 80745be ci(action): update actions/checkout action to v5 (#687)
  • 0e236cb feat: new Projects v2 endpoints, new code scanning dismissal endpoints, many ...
  • bf19e3e chore(deps): update dependency prettier to v3.6.2 (#685)
  • 4f9fc56 ci(action): update actions/setup-node action to v5 (#688)
  • 8e5da25 fix: handle url in response when using pagination with compareCommits (#686)
  • 6d8ea8a feat: add paginatantion support for compareCommits and `compareCommitsWith...
  • 8ec2713 fix(deps): update @octokit/types - no new paginated endpoints (#680)
  • Additional commits viewable in compare view

Updates @octokit/request from 5.6.2 to 10.0.10

Release notes

Sourced from @​octokit/request's releases.

v10.0.10

10.0.10 (2026-05-26)

Bug Fixes

  • remove unused fast-content-type-parse dependency (#808) (25b0838)

v10.0.9

10.0.9 (2026-05-12)

Bug Fixes

  • deps: switch to using the "content-type" package for content type parsing (#807) (a9f64a0)

v10.0.8

10.0.8 (2026-02-20)

Bug Fixes

  • use json-with-bigint instead of built-in JSON methods in order to properly support int64's (#798) (f13f5d9)

v10.0.7

10.0.7 (2025-11-13)

Bug Fixes

  • readme: properly structure the options for custom agent (#786) (f17c1c1), closes #785

v10.0.6

10.0.6 (2025-10-30)

Bug Fixes

  • deps: update dependency @​octokit/types to v16 (#783) (1aeac56)

v10.0.5

10.0.5 (2025-09-29)

Bug Fixes

v10.0.4

10.0.4 (2025-09-29)

... (truncated)

Commits
  • 25b0838 fix: remove unused fast-content-type-parse dependency (#808)
  • b3d6b0b chore(deps): update dependency esbuild to ^0.28.0 (#804)
  • 7fdf739 ci(action): update actions/create-github-app-token action to v3 (#801)
  • 58b1f87 ci(action): update actions/add-to-project action to v2 (#806)
  • a9f64a0 fix(deps): switch to using the "content-type" package for content type parsin...
  • 4abc280 chore(deps): update dependency undici to v7.24.0 [security] (#800)
  • f13f5d9 fix: use json-with-bigint instead of built-in JSON methods in order to prop...
  • 9ba6ae0 Document that unsuccessful HTTP status code result in an exception (#795)
  • 7160b82 chore(deps): replace glob with tinyglobby (#791)
  • ab8018b ci(action): update peter-evans/create-or-update-comment action to v5 (#776)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​octokit/request since your current version.


Updates @octokit/request-error from 2.1.0 to 7.1.0

Release notes

Sourced from @​octokit/request-error's releases.

v7.1.0

7.1.0 (2025-11-13)

Features

  • inherit options from base Error class to add support for the cause property (#535/#536) (2ea2780)

v7.0.2

7.0.2 (2025-10-30)

Bug Fixes

  • deps: update dependency @​octokit/types to v16 (#533) (e5a75ef)

v7.0.1

7.0.1 (2025-09-29)

Bug Fixes

  • deps: update dependency @​octokit/types to v15 (#522) (4a453f2)

v7.0.0

7.0.0 (2025-05-20)

Continuous Integration

BREAKING CHANGES

  • Drop support for NodeJS v18

  • build: set minimal node version in build script to v20

  • ci: stop testing against NodeJS v18

v6.1.8

6.1.8 (2025-04-10)

Bug Fixes

  • deps: update dependency @​octokit/types to v14 (#505) (ab4ea7b)

v6.1.7

... (truncated)

Commits
  • 2ea2780 feat: inherit options from base Error class to add support for the cause ...
  • ac7b309 chore(deps): update vitest monorepo to v4 (major) (#531)
  • dadc76d ci(action): update peter-evans/create-or-update-comment action to v5 (#525)
  • f57f2e6 build(deps): lock file maintenance (#534)
  • e5a75ef fix(deps): update dependency @​octokit/types to v16 (#533)
  • e5d5de2 chore(deps): update dependency @​types/node to v24 (#532)
  • 8cc127b ci(action): update actions/setup-node action to v6 (#529)
  • b3a876b build(deps): lock file maintenance (#527)
  • cf1817b ci(action): update github/codeql-action action to v4 (#528)
  • 61f1e87 chore(deps): update dependency tinybench to v5 (#519)
  • Additional commits viewable in compare view

Updates @octokit/webhooks from 9.22.0 to 14.2.0

Release notes

Sourced from @​octokit/webhooks's releases.

v14.2.0

14.2.0 (2025-12-03)

Features

  • new secret_scanning_alert.assigned, secret_scanning_alert.unassigned, issue_dependencies events (#1189) (b47e4b0)

v14.1.3

14.1.3 (2025-07-31)

Bug Fixes

  • avoid Object.assign to avoid hiding potential type errors (#1166) (4c36fce)

v14.1.2

14.1.2 (2025-07-30)

Bug Fixes

v14.1.1

14.1.1 (2025-07-10)

Bug Fixes

  • createLogger should not recreate the logger object if it already exists (#1162) (18f0be5)

v14.1.0

14.1.0 (2025-06-29)

Features

v14.0.2

14.0.2 (2025-06-05)

Bug Fixes

v14.0.1

14.0.1 (2025-06-04)

... (truncated)

Commits
  • b47e4b0 feat: new secret_scanning_alert.assigned, `secret_scanning_alert.unassigned...
  • 5ca3206 ci(action): update github/codeql-action action to v4 (#1178)
  • 07b617c ci(action): update actions/setup-node action to v6 (#1179)
  • 3e7c815 build(deps): lock file maintenance (#1177)
  • be82b3d ci(action): update peter-evans/create-or-update-comment action to v5 (#1175)
  • 73ec1fc chore(deps): update vitest monorepo to v4 (major) (#1181)
  • 4b4ad0f build(deps): lock file maintenance (#1174)
  • 2a24466 ci(action): update actions/checkout action to v5 (#1170)
  • aea297e ci(action): update actions/setup-node action to v5 (#1172)
  • 302105e build(deps): lock file maintenance (#1168)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​octokit/webhooks since your current version.


Updates ajv from 6.12.6 to 6.15.0

Commits

Updates axios from 0.19.2 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates follow-redirects from 1.5.10 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • 21ef28a Release version 1.15.11 of the npm package.
  • 7c88135 Roll back tree shaking.
  • 6e389ba Release version 1.15.10 of the npm package.
  • 5bc496e Shake me up before you go-go.
  • 694d6b4 Bump minimist from 1.2.5 to 1.2.8
  • Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates minimist from 1.2.5 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

Fixed

Commits

  • Merge tag 'v0.2.3' a026794
  • [eslint] fix indentation and whitespace 5368ca4
  • [eslint] fix indentation and whitespace e5f5067
  • [eslint] more cleanup

Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [moment](https://github.com/moment/moment) | `2.29.2` | `2.29.4` |
| [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.15.0` |
| [axios](https://github.com/axios/axios) | `0.19.2` | `1.17.0` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [minimist](https://github.com/minimistjs/minimist) | `1.2.5` | `1.2.8` |



Updates `moment` from 2.29.2 to 2.29.4
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](moment/moment@2.29.2...2.29.4)

Updates `@octokit/plugin-paginate-rest` from 2.17.0 to 14.0.0
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases)
- [Commits](octokit/plugin-paginate-rest.js@v2.17.0...v14.0.0)

Updates `@octokit/request` from 5.6.2 to 10.0.10
- [Release notes](https://github.com/octokit/request.js/releases)
- [Commits](octokit/request.js@v5.6.2...v10.0.10)

Updates `@octokit/request-error` from 2.1.0 to 7.1.0
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](octokit/request-error.js@v2.1.0...v7.1.0)

Updates `@octokit/webhooks` from 9.22.0 to 14.2.0
- [Release notes](https://github.com/octokit/webhooks.js/releases)
- [Commits](octokit/webhooks.js@v9.22.0...v14.2.0)

Updates `ajv` from 6.12.6 to 6.15.0
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v6.12.6...v6.15.0)

Updates `axios` from 0.19.2 to 1.17.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.19.2...v1.17.0)

Updates `follow-redirects` from 1.5.10 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.5.10...v1.16.0)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `minimist` from 1.2.5 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

---
updated-dependencies:
- dependency-name: moment
  dependency-version: 2.29.4
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@octokit/plugin-paginate-rest"
  dependency-version: 14.0.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@octokit/request"
  dependency-version: 10.0.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@octokit/request-error"
  dependency-version: 7.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@octokit/webhooks"
  dependency-version: 14.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ajv
  dependency-version: 6.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.17.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-version: 1.2.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants