Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 7 updates#8

Closed
dependabot[bot] wants to merge 1 commit into
seelefrom
dependabot/npm_and_yarn/npm_and_yarn-b9cb6c0549
Closed

build(deps): bump the npm_and_yarn group across 1 directory with 7 updates#8
dependabot[bot] wants to merge 1 commit into
seelefrom
dependabot/npm_and_yarn/npm_and_yarn-b9cb6c0549

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 14, 2026

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
uuid 13.0.0 14.0.0
dompurify 3.3.3 3.4.0
marked 18.0.0 18.0.2
fast-uri 3.1.0 3.1.2
fast-xml-builder 1.1.4 1.2.0
ip-address 10.1.0 10.2.0

Updates uuid from 13.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

  • expect crypto to be global everywhere (requires node@20+) (#935)
  • drop node@18 support (#934)

Features

Bug Fixes

  • expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
  • Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

  • rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

  • crypto is now expected to be globally defined (requires node@20+) (#935)
  • drop node@18 support (#934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years
Commits
  • 7c1ea08 chore(main): release 14.0.0 (#926)
  • 3d2c5b0 Merge commit from fork
  • f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
  • 529ef08 chore: upgrade TypeScript and fixup types (#927)
  • 086fd79 chore: update dependencies (#933)
  • dc4ddb8 feat!: drop node@18 support (#934)
  • 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
  • e2879e6 chore: use maintained version of npm-run-all (#930)
  • ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
  • 0423d49 docs: remove obsolete v1 option notes (#915)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.


Updates dompurify from 3.3.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

  • Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
  • Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
  • Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
  • Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
  • Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
  • Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
  • Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
  • Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
  • Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
  • Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
  • Fixed a problem with the type dentition patcher after Node version bump
  • Fixed freezing BS runs by reducing the tested browsers array
  • Bumped several dependencies where possible
  • Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

Updates marked from 18.0.0 to 18.0.2

Release notes

Sourced from marked's releases.

v18.0.2

18.0.2 (2026-04-18)

Bug Fixes

  • fix infinite loop for indented code blank line (#3947) (58a52e8)

v18.0.1

18.0.1 (2026-04-17)

Bug Fixes

  • rules: ensure lookbehind regex is evaluated correctly by minifiers (#3945) (abd907a)
Commits
  • c4f4529 chore(release): 18.0.2 [skip ci]
  • 58a52e8 fix: fix infinite loop for indented code blank line (#3947)
  • 98b3824 chore(release): 18.0.1 [skip ci]
  • abd907a fix(rules): ensure lookbehind regex is evaluated correctly by minifiers (#3945)
  • 96351c4 chore(deps-dev): bump marked-highlight from 2.2.3 to 2.2.4 (#3946)
  • c132699 chore: update testutils (#3942)
  • See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

  • Add support for sanitizeName option
  • Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

  • fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

  • fix: skip text property for PI tags
  • improve typings

1.1.7 (2026--05-04)

  • fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

  • fix security issues related to comment
  • skip comment with null value

1.1.5 (2026-04-17)

  • fix security issues related to comment and cdata

1.1.4 (2026-03-16)

  • support maxNestedTags option

1.1.3 (2026-03-13)

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

  • fix typings

1.1.1 (2026-03-11)

  • upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

Commits

Updates ip-address from 10.1.0 to 10.2.0

Commits

Updates protobufjs from 6.8.8 to 7.5.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.4

7.5.4 (2025-08-15)

Bug Fixes

protobufjs: v7.5.3

7.5.3 (2025-05-28)

Bug Fixes

  • descriptor extensions handling post-editions (#2075) (6e255d4)

protobufjs: v7.5.2

7.5.2 (2025-05-14)

Bug Fixes

protobufjs: v7.5.1

7.5.1 (2025-05-08)

Bug Fixes

  • optimize regressions from editions implementations (#2066) (6406d4c)
  • reserved field inside group blocks fail parsing (#2058) (56782bf)

protobufjs: v7.5.0

7.5.0 (2025-04-15)

Features

  • add Edition 2023 Support (f04ded3)
  • add Edition 2023 Support (ac9a3b9)
  • add Edition 2023 Support (e5ca5c8)
  • add Edition 2023 Support (a84409b)
  • add Edition 2023 Support (9c5a178)
  • add Edition 2023 Support (b2c6867)
  • add Edition 2023 Support (60f3e51)
  • add Edition 2023 Support (a656361)
  • add Edition 2023 Support (869a95b)
  • add Edition 2023 Support (b936af4)
  • add Edition 2023 Support (a938467)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.5.4 (2025-08-15)

Bug Fixes

7.5.3 (2025-05-28)

Bug Fixes

  • descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

Bug Fixes

7.5.1 (2025-05-08)

Bug Fixes

  • optimize regressions from editions implementations (#2066) (6406d4c)
  • reserved field inside group blocks fail parsing (#2058) (56782bf)

7.5.0 (2025-04-15)

Features

  • add Edition 2023 Support (f04ded3)
  • add Edition 2023 Support (ac9a3b9)
  • add Edition 2023 Support (e5ca5c8)
  • add Edition 2023 Support (a84409b)
  • add Edition 2023 Support (9c5a178)
  • add Edition 2023 Support (b2c6867)
  • add Edition 2023 Support (60f3e51)
  • add Edition 2023 Support (a656361)
  • add Edition 2023 Support (869a95b)
  • add Edition 2023 Support (b936af4)
  • add Edition 2023 Support (a938467)
  • add Edition 2023 Support (1af8454)
  • add Edition 2023 Support (785416f)
  • add feature resolution (a9ffc8a)
  • add feature resolution and tests (68b5339)
  • add feature resolution for protobuf editions (547afa2)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for protobufjs since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the npm_and_yarn group across 1 directory with 7 up…
0141e72 
…dates

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [uuid](https://github.com/uuidjs/uuid) | `13.0.0` | `14.0.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.0` |
| [marked](https://github.com/markedjs/marked) | `18.0.0` | `18.0.2` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.4` | `1.2.0` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` |



Updates `uuid` from 13.0.0 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v13.0.0...v14.0.0)

Updates `dompurify` from 3.3.3 to 3.4.0
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.0)

Updates `marked` from 18.0.0 to 18.0.2
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](markedjs/marked@v18.0.0...v18.0.2)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `fast-xml-builder` from 1.1.4 to 1.2.0
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.2.0)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `protobufjs` from 6.8.8 to 7.5.4
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@6.8.8...protobufjs-v7.5.4)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: marked
  dependency-version: 18.0.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-builder
  dependency-version: 1.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.5.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 14, 2026
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github May 16, 2026

Superseded by #9.

@dependabot dependabot Bot closed this May 16, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-b9cb6c0549 branch May 16, 2026 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants