chore(deps): bump the npm_and_yarn group across 6 directories with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
nodemailer	7.0.10	7.0.11
form-data	2.3.3	4.0.4
jws	3.2.2	3.2.3
lodash	4.17.21	4.17.23
qs	6.13.0	6.14.2
validator	13.15.20	13.15.26

Bumps the npm_and_yarn group with 1 update in the /degens_bot directory: lodash.
Bumps the npm_and_yarn group with 1 update in the /mcp/frontend directory: next.
Bumps the npm_and_yarn group with 1 update in the /tiltcheck-organized/integrations/shared directory: qs.
Bumps the npm_and_yarn group with 6 updates in the /tiltcheck-organized/webapp directory:

Package	From	To
lodash	4.17.21	4.17.23
qs	6.13.0	6.14.2
jsonpath	1.1.1	1.3.0
node-forge	1.3.1	1.4.0
react-router	6.30.1	6.30.3
webpack	5.102.1	5.105.4

Bumps the npm_and_yarn group with 2 updates in the /webapp directory: yaml and next.

Updates nodemailer from 7.0.10 to 7.0.11

Release notes

Sourced from nodemailer's releases.

v7.0.11

7.0.11 (2025-11-26)

Bug Fixes

• prevent stack overflow DoS in addressparser with deeply nested groups (b61b9c0)

Changelog

Sourced from nodemailer's changelog.

7.0.11 (2025-11-26)

Bug Fixes

• prevent stack overflow DoS in addressparser with deeply nested groups (b61b9c0)

Commits

• 3d17dbe chore(master): release 7.0.11 (#1783)
• 15879f8 Bumped dev dependencies
• b61b9c0 fix: prevent stack overflow DoS in addressparser with deeply nested groups
• See full diff in compare view

Updates form-data from 2.3.3 to 4.0.4

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

• Merge tags v2.5.3 and v3.0.3 92613b9
• [Tests] migrate from travis to GHA 806eda7
• [Tests] migrate from travis to GHA 8fdb3bc

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

• Code reorganization, thanks @​fearphage! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates validator from 13.15.20 to 13.15.26

Release notes

Sourced from validator's releases.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

New Contributors

• @​ds1371dani made their first contribution in validatorjs/validator.js#2634
• @​Numbers0689 made their first contribution in validatorjs/validator.js#2535

Full Changelog: validatorjs/validator.js@13.15.23...13.15.26

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

Full Changelog: validatorjs/validator.js@13.15.22...13.15.23

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

New Contributors

• @​mbtools made their first contribution in validatorjs/validator.js#2622
• @​koral-- made their first contribution in validatorjs/validator.js#2616

Full Changelog: validatorjs/validator.js@13.15.20...13.15.22

Changelog

Sourced from validator's changelog.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

Commits

• 784e52a docs(matches): add ReDoS note to README (#2640)
• 6531047 fix(isHexColor): add require_hashtag option (#2535)
• f605a9c fix(isURL): handle possible bypass with URL-encoded content (#2633)
• a165ebe fix(isIBAN): improve IR locale (#2634)
• 9113304 fix(build): move to trusted publishing (#2631)
• f2b5c17 maintenance: 2511 release (#2627)
• d457eca fix(isLength): correctly handle Unicode variation selectors (#2616)
• f2e3633 docs: add install instructions to contibution guide (#2621)
• cf40145 fix: URL validation for hostnames with ports (no protocol) (#2622)
• 4af6124 maintenance: 2510 release (#2585)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for validator since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates next from 14.2.32 to 15.5.14

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

Commits

• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
• 7a94645 Apply needs for publishRelease
• bbfd4e3 v15.5.11
• Additional commits viewable in compare view

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates jsonpath from 1.1.1 to 1.3.0

Commits

• See full diff in compare view

Updates node-forge from 1.3.1 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
  • CVE ID: CVE-2026-33896
  • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

• fa385f9 Release 1.4.0.
• 07d4e16 Update changelog.
• cb90fd9 Update changelog.
• 963e7c5 Add unit test for "pseudonym"
• f0b6f5b Add pseudonym OID
• 3df48a3 Fix missing CVE ID.

[github-actions]

🤖 CI/CD Pipeline Results

✅ Lint: Completed
✅ Security Scan: Completed
✅ Tests: Completed
✅ Build: Completed

📊 Details:

• Node.js versions tested: 18, 20
• Security scan report available in artifacts
• Build artifacts uploaded

🔍 Review the workflow run for detailed results.

[dependabot]

Superseded by #74.