⬆️ Bump the npm_and_yarn group across 1 directory with 22 updates

[dependabot]

Bumps the npm_and_yarn group with 20 updates in the / directory:

Package	From	To
ajv	6.10.2	6.15.0
ansi-regex	3.0.0	3.0.1
ansi-regex	4.1.0	4.1.1
async	2.6.3	2.6.4
browserslist	4.6.6	4.28.2
copy-props	2.0.4	2.0.5
decode-uri-component	0.2.0	0.2.2
dot-prop	4.2.0	4.2.1
minimist	1.2.0	1.2.8
follow-redirects	1.10.0	1.16.0
form-data	2.3.3	removed
ini	1.3.5	1.3.8
minimatch	3.0.4	3.1.5
y18n	3.2.1	3.2.2
yargs-parser	5.0.0	5.0.1
yargs-parser	15.0.0	15.0.3
http-proxy	1.18.0	1.18.1
js-yaml	3.13.1	3.14.2
json5	1.0.1	1.0.2
loader-utils	1.2.3	1.4.2
lodash	4.17.15	4.18.1
qs	6.5.2	6.15.2

Updates ajv from 6.10.2 to 6.15.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

v6.12.0

Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

• error logging example (@​RadiationSickness)
• TypeScript usage notes (@​thetric)

v6.11.0

Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• Additional commits viewable in compare view

Updates ansi-regex from 3.0.0 to 3.0.1

Commits

• f545bdb 3.0.1
• c57d4c2 fix a few old XO issues for backport
• 419250f Fix potential ReDoS (#37)
• See full diff in compare view

Updates ansi-regex from 4.1.0 to 4.1.1

Commits

• f545bdb 3.0.1
• c57d4c2 fix a few old XO issues for backport
• 419250f Fix potential ReDoS (#37)
• See full diff in compare view

Updates async from 2.6.3 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates browserslist from 4.6.6 to 4.28.2

Release notes

Sourced from browserslist's releases.

4.28.2

• Fix prototype pollution (by @​chluo1997).

4.28.1

• Removed Baseline warning since we have it own warning.

4.27.0

• Added BROWSERSLIST_TRACE_WARNING environment variable.

4.26.3

• Fixed throwOnMissing with extends query (by @​alexander-akait).

4.26.2

• Fixed baseline-browser-mapping version requirement.

4.26.1

• Updated Firefox ESR.

4.26.0

• Added Baseline queries (by @​tonypconway).

4.25.4

• Fixed Windows support for custom stats (by @​torgeilo).

4.25.3

• Fixed ReDoS (by @​ericcornelissen).

4.25.2

• Fixed Node.js --permission support (by @​broofa).

4.25.1

• Updated Firefox ESR.

4.25.0

• Added cover 95% in browserslist-config-mycompany stats query support.

4.24.5

• Fixed support ESM shared config.
• Fixed docs (by Alexander Pushkov & マルコメ).

4.24.4

• Improved performance by using caching better (by @​thoughtspile).

4.24.3

• Updated Firefox ESR (by @​fpapado).

4.24.2

• Clarify outdated caniuse-lite warning text.

4.24.1

... (truncated)

Changelog

Sourced from browserslist's changelog.

4.28.2

• Fix prototype pollution (by @​chluo1997).

4.28.1

• Removed Baseline warning since we have it own warning.

4.48.0

• Added firefox >= esr query support (by @​SethFalco).
• Fixed docs (by @​SethFalco).

4.27.0

• Added BROWSERSLIST_TRACE_WARNING environment variable.

4.26.3

• Fixed throwOnMissing with extends query (by @​alexander-akait).

4.26.2

• Fixed baseline-browser-mapping version requirement.

4.26.1

• Updated Firefox ESR.

4.26.0

• Added Baseline queries (by @​tonypconway).

4.25.4

• Fixed Windows support for custom stats (by @​torgeilo).

4.25.3

• Fixed ReDoS (by @​ericcornelissen).

4.25.2

• Fixed Node.js --permission support (by @​broofa).

4.25.1

• Updated Firefox ESR.

4.25.0

... (truncated)

Commits

• 502ea00 Release 4.28.2 version
• 4621a79 Re-use single constant
• 0b5a150 Update email
• 8e105c8 Process all files with oxfmt
• a6247d5 Add oxfmt support
• 32e5cb1 Update dependencies
• 60c60b7 Merge pull request #926 from chluo1997/fix-pp
• f263978 fix: prevent prototype pollution
• 2b97b75 Merge pull request #924 from SethFalco/custom-stats
• f366165 docs: add more details on custom stats
• Additional commits viewable in compare view

Updates copy-props from 2.0.4 to 2.0.5

Commits

• See full diff in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates dot-prop from 4.2.0 to 4.2.1

Release notes

Sourced from dot-prop's releases.

v4.2.1

• Backport sindresorhus/dot-prop@3039c8c to the v4.x release line.

Commits

• c914124 feat: patch 4.2.0 with fixes for CVE-2020-8116
• See full diff in compare view

Updates minimist from 1.2.0 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates follow-redirects from 1.10.0 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• 21ef28a Release version 1.15.11 of the npm package.
• 7c88135 Roll back tree shaking.
• 6e389ba Release version 1.15.10 of the npm package.
• 5bc496e Shake me up before you go-go.
• 694d6b4 Bump minimist from 1.2.5 to 1.2.8
• Additional commits viewable in compare view

Removes form-data

Updates ini from 1.3.5 to 1.3.8

Commits

• a2c5da8 1.3.8
• af5c6bb Do not use Object.create(null)
• 8b648a1 don't test where our devdeps don't even work
• c74c8af 1.3.7
• 024b8b5 update deps, add linting
• 032fbaf Use Object.create(null) to avoid default object property hazards
• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name
• See full diff in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for ini since your current version.

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates semver from 5.3.0 to 5.7.0

Changelog

Sourced from semver's changelog.

Changelog

7.8.1 (2026-05-21)

Bug Fixes

• 17aa702 #869 strip build metadata before comparator trimming (#869) (@​owlstronaut)
• 5f3ca13 #867 handle prerelease bounds in subset (#867) (@​puneetdixit200, Puneet Dixit)

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@​mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@​mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@​dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@​reggi)
• 5816d4c #829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@​dependabot[bot], @​npm-cli-bot)

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@​H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@​dependabot[bot], @​owlstronaut)

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@​Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@​mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@​wraithgar)
• 2677f2a #778 bump @​npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@​dependabot[bot], @​npm-cli-bot)

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@​wraithgar)

... (truncated)

Commits

• 8055dda 5.7.0
• 604e73d auto-publishing scripts
• bed01e2 remove the nomin comments, since we don't minify any more anyway
• 9cb68f1 document parse method
• 38d42ca 5.7 changelog
• da8a771 Fix code style and get to 100% coverage
• 4d8306b drop windows testing
• 1af213f next-gen tap for testing
• b99ae3b Add semver.minVersion function.
• 6086e5a remove node 4
• Additional commits viewable in compare view

Updates tar from 2.2.2 to 4.4.8

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 074c89b 4.4.8
• c7bc240 Fix hardlink extraction with strip.
• 0068764 Fix example typo
• 88d6071 4.4.7
• 41fce66 Fix #190: polyfill Buffer in lib/parse.js for node v4 <4.5
• ec2581a clarify EOF error messages
• 6c95323 write-entry: handle shrinked file size than expected by lstat
• 34bdf6b travis: no windows. A known failing test is worse than no test.
• dcab9b8 travis: add windows
• 4eb4e9b travis: Add node 10, remove 4
• Additional commits viewable in compare view

Updates y18n from 3.2.1 to 3.2.2

Release notes

Sourced from y18n's releases.

y18n y18n-v4.0.3

Bug Fixes

• release: 4.x.x should not enforce Node 10 (#126) (1e21a53)

y18n y18n-v4.0.2

Bug Fixes

• security: ensure entry exists for backport (#120) (b22c0df)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for y18n since your current version.

Updates yargs-parser from 5.0.0 to 5.0.1

Changelog

Sourced from yargs-parser's changelog.

5.0.0 (2017-02-18)

Bug Fixes

• environment variables should take precedence over config file (#81) (76cee1f)

BREAKING CHANGES

• environment variables will now override config files (args, env, config-file, config-object)

5.0.1 (2021-03-10)

Bug Fixes

• security: address GHSA-p9pc-299p-vxgp (#362) (1c417bd)

4.2.1 (2017-01-02)

Bug Fixes

• flatten/duplicate regression (#75) (68d68a0)

4.2.0 (2016-12-01)

Bug Fixes

• inner objects in configs had their keys appended to top-level key when dot-notation was disabled (#72) (0b1b5f9)

Features

• allow multiple arrays to be provided, rather than always combining (#71) (0f0fb2d)

4.1.0 (2016-11-07)

... (truncated)

Commits

• eab6c03 chore: release 5.0.1 (#363)
• 1c417bd fix(security): address GHSA-p9pc-299p-vxgp (#362)
• e93a345 chore: mark release in commit history (#361)
• ee15863 chore: push new package version
• 4774207 fix: back-porting prototype fixes for really old version (#271)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.

Updates yargs-parser from 15.0.0 to 15.0.3

Changelog

Sourced from yargs-parser's changelog.

5.0.0 (2017-02-18)

Bug Fixes

• environment variables should take precedence over config file (#81) (76cee1f)

BREAKING CHANGES

• environment variables will now override config files (args, env, config-file, config-object)

5.0.1 (2021-03-10)

Bug Fixes

• security: address GHSA-p9pc-299p-vxgp (#362) (1c417bd)

4.2.1 (2017-01-02)

Bug Fixes

• flatten/duplicate regression (#75) (68d68a0)

4.2.0 (2016-12-01)

Bug Fixes

• inner objects in configs had their keys appended to top-level key when dot-notation was disabled (#72) (0b1b5f9)

Features

• allow multiple arrays to be provided, rather than always combining (#71) (0f0fb2d)

4.1.0 (2016-11-07)

... (truncated)

Commits

• eab6c03 chore: release 5.0.1 (#363)
• 1c417bd fix(security): address GHSA-p9pc-299p-vxgp (#362)
• e93a345 chore: mark release in commit history (#361)
• ee15863 chore: push new package version
• 4774207 fix: back-porting prototype fixes for really old version (#271)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.

Updates http-proxy from 1.18.0 to 1.18.1

Changelog

Sourced from http-proxy's changelog.

v1.18.1 - 2020-05-17

Merged

• Skip sending the proxyReq event when the expect header is present [#1447](https://github.com/http-party/node-http-proxy/issues/1447)
• Remove node6 support, add node12 to build [#1397](https://github.com/http-party/node-http-proxy/issues/1397)

Commits

• 9b96cd7 1.18.1
• 335aeeb Skip sending the proxyReq event when the expect header is present (#1447)
• dba3966 Remove node6 support, add node12 to build (#1397)
• See full diff in compare view

Updates js-yaml from 3.13.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• Description has been truncated