build(deps): bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
lodash	4.17.23	4.18.1
mongoose	8.17.0	8.22.1
@babel/plugin-transform-modules-systemjs	7.29.0	7.29.4
fast-uri	3.1.0	3.1.2
webpack-dev-server	5.2.3	5.2.4

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates mongoose from 8.17.0 to 8.22.1

Release notes

Sourced from mongoose's releases.

8.22.1 / 2025-02-04

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #15944 #15940

8.21.1

• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

8.21.0 / 2025-12-29

• feat(document): add support for getAtomics() to allow custom container types to utilize atomics #15817
• feat(document+model): pass options to pre('deleteOne') and update+options to pre('updateOne') hooks #15908 #15870
• fix: add support for typescript style enums #15914 #15913 mjfwebb

8.20.4 / 2025-12-18

• fix(model): ensure $isDeleted is set after calling doc.deleteOne() successfully #15898
• fix(document): use bitwise OR to accumulate version mode flags #15893 #15888 AbdelrahmanHafez

8.20.3 / 2025-12-15

• perf: use Object.hasOwn instead of Object#hasOwnProperty #15875 AbdelrahmanHafez
• fix: improve error when calling Document.prototype.init() with null/undefined #15812 Vegapunk-debug
• types(schema): avoid treating paths with default: null as required #15889
• types(schema): allow partial statics to schema.statics() #15780

8.20.2 / 2025-12-05

• fix(model): bump version if necessary after successful bulkSave() #15809 #15800
• fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
• types(schema): allow calling schema.static() with as TStatics #15794 #15780

8.20.1 / 2025-11-20

• types: correct Model.schema type and fix unknown check for this param type in schema.methods #15750 #15693
• docs: add detailed loadClass() TypeScript usage guide #15731 #12813 Necro-Rohan
• docs: update version support documentation for Mongoose #15761 ManmathX
• docs: add copy-to-clipboard feature for code blocks in docs #15759 vedansha07

8.20.0 / 2025-11-17

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.22.1 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

7.8.9 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #15944 #15940

8.21.1 / 2026-01-23

• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

9.1.5 / 2026-01-20

• fix(map): validate map subdocument when loaded with init #15960 #15957 AbdelrahmanHafez
• fix(discriminator): prevent indexes and callQueue duplication with shared nested schemas #15974 #15966 AbdelrahmanHafez
• fix(subdocuments): do not pass parent path on init #15970 #15969 #15682 AbdelrahmanHafez
• types(inferrawdoctype): correct handling for subdocs and doc arrays #15967 #13772
• docs: improve grammar and clarity in TypeScript schema comments #15971 harshsinghpujari

9.1.4 / 2026-01-15

• fix: attach sessions to docs retrieved by cursor #15953 #15949 mjfwalsh
• fix(model): make hydrate() handle nested schema arrays #15964 #15956
• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 #15954 AbdelrahmanHafez
• fix: prevent crash when accessing nested paths on prototype #15962 #15961 som14062005

9.1.3 / 2026-01-09

• fix(model): support timestamps option to insertMany() as both boolean and QueryTimestampsConfig #15941 #15938
• fix(query): include preview of current and incoming update in error when merging normal update with pipeline #15939 #15928
• types(model): apply basic type casting to paths underneath subdocuments #15948 #15947
• types(utility): make WithLevel1NestedPaths correctly handle PopulatedDoc and other TypeScript unions with Document members #15942 #15923
• docs(schema): expose "DocumentArrayElement" #15590 hasezoey

9.1.2 / 2026-01-05

• fix(subdocs): pass options to pre-save hooks for subdocs #15921 #15920 AbdelrahmanHafez
• perf(model): select only _id when checking document existence during save() #15919 AbdelrahmanHafez

... (truncated)

Commits

• 472e7c7 chore: release 8.22.1
• 1735149 Merge branch '7.x' into 8.x
• 5227801 chore: release 7.8.9
• b804e34 fix: handle other top-level query operators in sanitizeFilter
• 8d9a81f chore: release 8.22.0
• f752854 Merge pull request #15985 from Automattic/8.22
• e7a57ed avoid hardcoding dbName
• 31adbb4 chore: release 8.21.1
• 62a5af7 test: bring test cases from #15958 into 8.x to ensure fixes are applied in 8.x
• bc8cb23 implement review suggestions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mongoose since your current version.

Updates @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules
  • #17818 Load async Wasm and JSON imports in parallel (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env

... (truncated)

Commits

• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• See full diff in compare view

Updates @opentelemetry/exporter-prometheus from 0.57.2 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-prometheus's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/exporter-prometheus since your current version.

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates webpack-dev-server from 5.2.3 to 5.2.4

Release notes

Sourced from webpack-dev-server's releases.

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

Changelog

Sourced from webpack-dev-server's changelog.

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

Commits

• fd40130 chore(release): 5.2.4
• ece4f36 chore: update deps (#5661)
• a216144 ci: fix test (#5658)
• df073c5 Merge commit from fork
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.