chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
glob	10.4.5	12.0.0
devalue	4.3.2	5.6.3
hono	4.7.1	4.12.4
tsup	8.3.0	8.3.5
minimatch	5.1.6	5.1.8
node-forge	1.3.1	1.3.2
undici	5.28.5	6.23.0
vite	5.4.14	5.4.21

Updates glob from 10.4.5 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2b03cca 12.0.0
• d56203d prettier config
• bb521e5 Remove --shell option where unsafe to use
• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates devalue from 4.3.2 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates hono from 4.7.1 to 4.12.4

Release notes

Sourced from hono's releases.

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in honojs/hono#4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in honojs/hono#4779

New Contributors

• @​agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

• fix(validator): prevent type diff bug in form data parsing by @​EdamAme-x in honojs/hono#4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @​EdamAme-x in honojs/hono#4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @​yusukebe in honojs/hono#4764
• fix(types): remove DOM type dependencies from ClientResponse and request method by @​YevheniiKotyrlo in honojs/hono#4768
• fix(types): correct middleware types by @​hmnd in honojs/hono#4774
• fix(jwt): prevent memory leak by avoiding mutation of options object by @​EdamAme-x in honojs/hono#4759

New Contributors

• @​YevheniiKotyrlo made their first contribution in honojs/hono#4768
• @​hmnd made their first contribution in honojs/hono#4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

... (truncated)

Commits

• 19d20d2 4.12.4
• 44ae0c8 Merge commit from fork
• f4123ed Merge commit from fork
• 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
• 6a0607a Merge commit from fork
• 0768232 fix(client): preserve route schema in ApplyGlobalResponse (#4777)
• 790c57b 4.12.3
• bda46ac fix(jwt): prevent memory leak by avoiding mutation of options object (#4759)
• 0f505f4 fix(types): correct middleware types (#4774)
• eb9c112 fix(types): remove DOM type dependencies from ClientResponse and request meth...
• Additional commits viewable in compare view

Updates tsup from 8.3.0 to 8.3.5

Release notes

Sourced from tsup's releases.

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

v8.3.3

No significant changes

    View changes on GitHub

v8.3.1

   🚀 Features

• Add es2024 target  -  by @​sxzz (4c8cd)

   🐞 Bug Fixes

• Support TS 5.6 for svelte  -  by @​sxzz (28b9c)
• Add neutral value to platform options in schema.json  -  by @​venables in egoist/tsup#982 (a03db)
• Wider restriction for target option  -  by @​odanado in egoist/tsup#1118 (1979b)
• Add terser value to minify option in schema.json  -  by @​damienbutt in egoist/tsup#991 (34951)
• Change newlineKind to lf for experimentalDts  -  by @​aryaemami59 in egoist/tsup#1234 (4584b)
• Enable rollup output.compact when minify is enabled  -  by @​hyrious in egoist/tsup#1232 (9cc86)
• Support Node16 and NodeNext module resolution in experimentalDts  -  by @​aryaemami59 in egoist/tsup#1225 (41c98)

    View changes on GitHub

Commits

• cd03e1e chore: release v8.3.5
• fddd451 fix: run experimentalDts only once (#1236)
• 21b1193 chore: release v8.3.4
• 580e03d ci: fix release workflow
• 01b38f2 chore: release v8.3.3
• 4f5b71e ci: fix release workflow
• e80dad6 chore: release v8.3.2
• f4af79a ci: fix release workflow (#1241)
• 4b72d61 chore: release v8.3.1
• 41c98ff fix: support Node16 and NodeNext module resolution in experimentalDts (...
• Additional commits viewable in compare view

Updates minimatch from 5.1.6 to 5.1.8

Commits

• e92ae29 5.1.8
• 79e4447 limit recursion for **, improve perf considerably
• 85ec0ff lockfile update
• 647146e lock node version to 14
• 85646c8 5.1.7
• 977c2d8 update CI matrix and actions
• 421ad12 update test expectations for coalesced consecutive stars
• febe85d coalesce consecutive non-globstar * characters
• See full diff in compare view

Updates node-forge from 1.3.1 to 1.3.2

Changelog

Sourced from node-forge's changelog.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default maximum.
• [asn1] Improve OID handling.
  • Error on parsed OID values larger than 2**32 - 1.
  • Error on DER OID values larger than 2**53 - 1 .

Commits

• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• d75e08d Run new security test.
• a5ce91d Update changelog formatting.
• 4652de6 Cleanups.
• eb932d9 Fix typo.
• db6954b Fix style.
• afbf7d8 Align error message style.
• 6607445 Revert minor changes.
• Additional commits viewable in compare view

Updates undici from 5.28.5 to 6.23.0

Release notes

Sourced from undici's releases.

v6.23.0

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

What's Changed

• fix: fix wrong stream canceled up after cloning (v6) by @​snyamathi in nodejs/undici#4414
• [Backport v6.x] fix: fix EnvHttpProxyAgent for the Node.js bundle by @​github-actions[bot] in nodejs/undici#4432
• feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180) by @​metcoder95 in nodejs/undici#4433
• feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#4180) (#4340) by @​metcoder95 in nodejs/undici#4445
• Backport 4472 to v6.x by @​Uzlopak in nodejs/undici#4480

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

What's Changed

• [Backport v6.x] append crlf to formdata body by @​github-actions in nodejs/undici#4210

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in nodejs/undici#4024
• [v6.x] fix wpts on windows by @​mcollina in nodejs/undici#4093
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

New Contributors

• @​slagiewka made their first contribution in nodejs/undici#4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#3736): back-port 183f8e9 to v6.x by @​ggoodman in nodejs/undici#3855
• fix(#3817): send servername for SNI on TLS (#3821) [backport] by @​metcoder95 in nodejs/undici#3864
• fix: sending formdata bodies with http2 (#3863) [backport] by @​metcoder95 in nodejs/undici#3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in nodejs/undici#3877
• types: [backport] Update return type of RetryCallback (#3851) by @​metcoder95 in nodejs/undici#3876

... (truncated)

Commits

• fbc31e2 Bumped v6.23.0
• 3477c94 chore: release flow using provenance
• d3aafea fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• f9c9185 Bumped v6.22.0
• f670f2a feat: make UndiciErrors reliable to instanceof (#4472) (#4480)
• 422e397 feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#41...
• 4a06ffe feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180)...
• 4cb3974 fix: fix EnvHttpProxyAgent for the Node.js bundle (#4064) (#4432)
• 44c23e5 fix: fix wrong stream canceled up after cloning (v6) (#4414)
• da0e823 Bumped v6.21.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates vite from 5.4.14 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.