Skip to content

chore(deps): bump the npm_and_yarn group across 5 directories with 14 updates#9

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-234ca5e4cd
Open

chore(deps): bump the npm_and_yarn group across 5 directories with 14 updates#9
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-234ca5e4cd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package From To
@mariozechner/pi-coding-agent 0.49.3 0.73.1
@whiskeysockets/baileys 7.0.0-rc.9 7.0.0-rc12
hono 4.11.4 4.12.25
markdown-it 14.1.0 14.2.0
tar 7.5.4 7.5.16
undici 7.19.0 7.28.0
ws 8.19.0 8.21.0
vitest 4.0.18 4.1.0
dompurify 3.3.1 3.4.11
vite 7.3.1 7.3.5
@opentelemetry/sdk-node 0.211.0 0.217.0

Bumps the npm_and_yarn group with 1 update in the /extensions/diagnostics-otel directory: @opentelemetry/sdk-node.
Bumps the npm_and_yarn group with 1 update in the /extensions/matrix directory: markdown-it.
Bumps the npm_and_yarn group with 1 update in the /extensions/zalo directory: undici.
Bumps the npm_and_yarn group with 3 updates in the /ui directory: vitest, dompurify and vite.

Updates @mariozechner/pi-coding-agent from 0.49.3 to 0.73.1

Release notes

Sourced from @​mariozechner/pi-coding-agent's releases.

v0.73.1

New Features

  • Self-update support for the npm scope migration: pi update --self now supports the upcoming package rename from @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent. After the new package is published, existing global installs can update through the normal self-update flow; pi will uninstall the old global package and install the package name returned by the version check endpoint.
  • Interactive OAuth login selection: OAuth providers can now present multiple login choices in /login, enabling provider-specific interactive authentication flows. See Providers.
  • JSONC-style models.json parsing: models.json now allows comments and trailing commas, making custom provider and model configuration easier to maintain. See Providers and Custom Providers.

Added

  • Added interactive login selection support so OAuth providers can present multiple login choices (#4190 by @​mitsuhiko).

Changed

  • Changed pi update --self to honor the active package name returned by the Pi version check endpoint, defaulting to the current package when omitted and uninstalling the old global package before installing a renamed package.
  • Changed extension loading to use upstream jiti 2.7 instead of the @mariozechner/jiti fork (#4244 by @​pi0).
  • Changed models.json parsing to allow comments and trailing commas (#4162 by @​julien-c).

Fixed

  • Fixed pi -p treating prompts that start with YAML frontmatter as extension flags instead of user messages (#4163).
  • Fixed pending tool results not updating in the live TUI after toggling thinking block visibility while the tool is running (#4167).
  • Fixed /copy reporting success on Linux without writing the clipboard on Wayland-only compositors (Hyprland, Niri, ...) by skipping the X11-only native addon on Linux and routing through wl-copy/xclip/xsel instead (#4177).
  • Fixed HTML session exports to strip skill wrapper XML from rendered user messages (#4234 by @​aliou).
  • Fixed OpenAI-compatible chat completion streams that interleave content and tool-call deltas in the same choice.
  • Fixed OpenAI Codex OAuth refresh failures writing directly to stderr while the TUI is active (#4141).
  • Fixed OpenAI Codex Responses requests to send a non-empty system prompt (#4184).
  • Fixed Kimi For Coding model resolution for the Kimi K2 P6 alias (#4218).
  • Fixed Kitty inline image redraws to stay within TUI-owned terminal regions and avoid writing below the active viewport.
  • Fixed Kitty inline image rendering by letting the terminal allocate image ids and bounding parsed image ids to valid values.
  • Fixed inline image capability detection to disable inline images in cmux terminals.

v0.73.0

New Features

Breaking Changes

  • Switched the built-in xiaomi provider from Token Plan AMS to Xiaomi's API billing endpoint, and renamed its /login display from "Xiaomi MiMo Token Plan" to "Xiaomi MiMo". XIAOMI_API_KEY now refers to the API billing key from platform.xiaomimimo.com. Users on Token Plan should switch to the appropriate xiaomi-token-plan-* provider and set the corresponding env var (#4112 by @​Phoen1xCode).

Added

  • Added three Xiaomi MiMo Token Plan regional providers visible in /login: xiaomi-token-plan-cn (XIAOMI_TOKEN_PLAN_CN_API_KEY), xiaomi-token-plan-ams (XIAOMI_TOKEN_PLAN_AMS_API_KEY), xiaomi-token-plan-sgp (XIAOMI_TOKEN_PLAN_SGP_API_KEY). Each defaults to mimo-v2.5-pro (#4112 by @​Phoen1xCode).

Changed

... (truncated)

Changelog

Sourced from @​mariozechner/pi-coding-agent's changelog.

[0.73.1] - 2026-05-07

New Features

  • Self-update support for the npm scope migration: pi update --self now supports the upcoming package rename from @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent. After the new package is published, existing global installs can update through the normal self-update flow; pi will uninstall the old global package and install the package name returned by the version check endpoint.
  • Interactive OAuth login selection: OAuth providers can now present multiple login choices in /login, enabling provider-specific interactive authentication flows. See Providers.
  • JSONC-style models.json parsing: models.json now allows comments and trailing commas, making custom provider and model configuration easier to maintain. See Providers and Custom Providers.

Added

  • Added interactive login selection support so OAuth providers can present multiple login choices (#4190 by @​mitsuhiko).

Changed

  • Changed pi update --self to honor the active package name returned by the Pi version check endpoint, defaulting to the current package when omitted and uninstalling the old global package before installing a renamed package.
  • Changed extension loading to use upstream jiti 2.7 instead of the @mariozechner/jiti fork (#4244 by @​pi0).
  • Changed models.json parsing to allow comments and trailing commas (#4162 by @​julien-c).

Fixed

  • Fixed pi -p treating prompts that start with YAML frontmatter as extension flags instead of user messages (#4163).
  • Fixed pending tool results not updating in the live TUI after toggling thinking block visibility while the tool is running (#4167).
  • Fixed /copy reporting success on Linux without writing the clipboard on Wayland-only compositors (Hyprland, Niri, ...) by skipping the X11-only native addon on Linux and routing through wl-copy/xclip/xsel instead (#4177).
  • Fixed HTML session exports to strip skill wrapper XML from rendered user messages (#4234 by @​aliou).
  • Fixed OpenAI-compatible chat completion streams that interleave content and tool-call deltas in the same choice.
  • Fixed OpenAI Codex OAuth refresh failures writing directly to stderr while the TUI is active (#4141).
  • Fixed OpenAI Codex Responses requests to send a non-empty system prompt (#4184).
  • Fixed Kimi For Coding model resolution for the Kimi K2 P6 alias (#4218).
  • Fixed Kitty inline image redraws to stay within TUI-owned terminal regions and avoid writing below the active viewport.
  • Fixed Kitty inline image rendering by letting the terminal allocate image ids and bounding parsed image ids to valid values.
  • Fixed inline image capability detection to disable inline images in cmux terminals.

[0.73.0] - 2026-05-04

New Features

Breaking Changes

  • Switched the built-in xiaomi provider from Token Plan AMS to Xiaomi's API billing endpoint, and renamed its /login display from "Xiaomi MiMo Token Plan" to "Xiaomi MiMo". XIAOMI_API_KEY now refers to the API billing key from platform.xiaomimimo.com. Users on Token Plan should switch to the appropriate xiaomi-token-plan-* provider and set the corresponding env var (#4112 by @​Phoen1xCode).

Added

  • Added three Xiaomi MiMo Token Plan regional providers visible in /login: xiaomi-token-plan-cn (XIAOMI_TOKEN_PLAN_CN_API_KEY), xiaomi-token-plan-ams (XIAOMI_TOKEN_PLAN_AMS_API_KEY), xiaomi-token-plan-sgp (XIAOMI_TOKEN_PLAN_SGP_API_KEY). Each defaults to mimo-v2.5-pro (#4112 by @​Phoen1xCode).

Changed

... (truncated)

Commits
  • 781152f Release v0.73.1
  • 7fa924b docs: audit unreleased changelog entries
  • 5e1e4c3 feat(coding-agent): support renamed self-update package
  • 50993d7 chore(coding-agent): switch back from fork to upstream jiti 2.7 (#4244)
  • 8861966 fix(coding-agent): strip skill wrapper XML from HTML export user messages (#4...
  • 060c10b fix(coding-agent): skip X11-only native addon for /copy on Linux
  • 755da30 fix(coding-agent): keep pending tool renders after thinking toggle
  • b5755fd feat(oauth): support interactive login selection (#4190)
  • bb25a39 feat(coding-agent): allow comments and trailing commas in models.json (#4162)
  • bac2df3 fix(coding-agent): handle frontmatter prompts in print mode
  • Additional commits viewable in compare view

Updates @whiskeysockets/baileys from 7.0.0-rc.9 to 7.0.0-rc12

Release notes

Sourced from @​whiskeysockets/baileys's releases.

v7.0.0-rc12

7.0.0-rc12

This version patches the security flaw addressed in GHSA-qvv5-jq5g-4cgg. Please exercise extreme caution and upgrade to the latest version or latest legacy version (6.7.22).

v7.0.0-rc11

A quick release meant to pin the libsignal pipeline to the NPM registry. The release also includes a small bug fix for old VPSes lacking SIMD support for the WASM. We moved Baileys's dep from git to NPM:

  1. This should remove the need to install git to install baileys.
  2. This should increase code transparency & security as libsignal now goes under the same Trusted Publishing and Provenance as Baileys rc10.

Read the full rc10 patch notes here: https://github.com/WhiskeySockets/Baileys/releases/tag/v7.0.0-rc10

We are working on migrating away from the libsignal dep as soon as possible to our own Rust-based equivalent to prevent licensing issues. Note that libsignal is in GPLv3 but Baileys is under MIT (Adhiraj left us a mess 😓).

v7.0.0-rc10

Since September, I've been working really hard on version 7. This is a really important version for Baileys. We introduced ESM, modernized the syntax and DX a lot compared to previous versions and been shipping stability fix after another. We faced a lot of challenges: LIDs, restrictions, WAM, warnings, bans, random logouts, decryption & encryption errors to name a few.

It is now, that I'm proud to announce, our biggest release yet:

VERSION 7.0.0-rc10 THE FINAL RELEASE CANDIDATE.

This is the largest release since we started the WhiskeySockets fork. Baileys hasn't been released since November 21, 2025, for a period of over 5 months.

Key changes include since rc9:

... (truncated)

Changelog

Sourced from @​whiskeysockets/baileys's changelog.

7.0.0-rc12 (2026-05-20)

Bug Fixes

  • process-message: only drop self-only protocolMessages from non-self senders (3beb08e)
Commits
  • 1aee6ed chore(release): v7.0.0-rc12
  • 3beb08e fix(process-message): only drop self-only protocolMessages from non-self senders
  • 28ca087 fix: guard fetch dispatcher option (#2557)
  • 988a34f chore(release): v7.0.0-rc11
  • 25bc999 Fix release and move to NPM based libsignal
  • 6cb7d34 feat: expose group online count in presence updates (#2545)
  • a263cb0 chore: bump whatsapp-rust-bridge@0.5.4 to support non simd (#2542)
  • dfad98f fix release
  • 04f6d70 ci: Update publishing to use Trusted Publishers
  • 42c19c7 chore(release): v7.0.0-rc10
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​whiskeysockets/baileys since your current version.

Install script changes

This version adds preinstall, prepare scripts that run during installation. Review the package contents before updating.


Updates hono from 4.11.4 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

... (truncated)

Commits

Updates markdown-it from 14.1.0 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

  • isPunctCharCode to utilities.

Fixed

  • Don't end HTML comment blocks on a blank line, #1155.
  • Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
  • Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
  • More strict entities decode to avoid false positives ;, #1096.
  • Restore block parser state on fail in lheading rule, #1131.

Security

  • Fixed poor smartquotes perfomance on > 70k quotes in single block
  • Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

[14.1.1] - 2026-01-11

Security

  • Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.
Commits

Updates tar from 7.5.4 to 7.5.16

Commits
  • cf21338 7.5.16
  • 21a8220 do not apply PAX header fields to meta entries
  • 52632cf update project deps
  • 302f51f fix inconsequential typo in PENDINGLINKS symbol name
  • 55dbb99 remove some uses of mutate-fs
  • 87cc309 7.5.15
  • 7aef486 fix: regression in pending links detection
  • 6244eb3 7.5.14
  • 9704d8c stricter protection against hardlinks preempting their targets
  • 700734f update workflows and deps
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates undici from 7.19.0 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits
  • f9eba0a Bumped v7.28.0 (#5430)
  • a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
  • 8cb10f9 websocket: limit the number of fragments in a message
  • 04201f8 fix: honor requestTls when proxy is SOCKS5
  • fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
  • bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
  • 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
  • 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
  • 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
  • 85a2405 fix(cache): trim qualified field names
  • Additional commits viewable in compare view

Updates ws from 8.19.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • Additional commits viewable in compare view

Updates vitest from 4.0.18 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

… updates

Bumps the npm_and_yarn group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@mariozechner/pi-coding-agent](https://github.com/badlogic/pi-mono/tree/HEAD/packages/coding-agent) | `0.49.3` | `0.73.1` |
| [@whiskeysockets/baileys](https://github.com/WhiskeySockets/Baileys) | `7.0.0-rc.9` | `7.0.0-rc12` |
| [hono](https://github.com/honojs/hono) | `4.11.4` | `4.12.25` |
| [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.2.0` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.4` | `7.5.16` |
| [undici](https://github.com/nodejs/undici) | `7.19.0` | `7.28.0` |
| [ws](https://github.com/websockets/ws) | `8.19.0` | `8.21.0` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.4.11` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.5` |
| [@opentelemetry/sdk-node](https://github.com/open-telemetry/opentelemetry-js) | `0.211.0` | `0.217.0` |

Bumps the npm_and_yarn group with 1 update in the /extensions/diagnostics-otel directory: [@opentelemetry/sdk-node](https://github.com/open-telemetry/opentelemetry-js).
Bumps the npm_and_yarn group with 1 update in the /extensions/matrix directory: [markdown-it](https://github.com/markdown-it/markdown-it).
Bumps the npm_and_yarn group with 1 update in the /extensions/zalo directory: [undici](https://github.com/nodejs/undici).
Bumps the npm_and_yarn group with 3 updates in the /ui directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest), [dompurify](https://github.com/cure53/DOMPurify) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).


Updates `@mariozechner/pi-coding-agent` from 0.49.3 to 0.73.1
- [Release notes](https://github.com/badlogic/pi-mono/releases)
- [Changelog](https://github.com/earendil-works/pi/blob/main/packages/coding-agent/CHANGELOG.md)
- [Commits](https://github.com/badlogic/pi-mono/commits/v0.73.1/packages/coding-agent)

Updates `@whiskeysockets/baileys` from 7.0.0-rc.9 to 7.0.0-rc12
- [Release notes](https://github.com/WhiskeySockets/Baileys/releases)
- [Changelog](https://github.com/WhiskeySockets/Baileys/blob/master/CHANGELOG.md)
- [Commits](WhiskeySockets/Baileys@v7.0.0-rc.9...v7.0.0-rc12)

Updates `hono` from 4.11.4 to 4.12.25
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.4...v4.12.25)

Updates `markdown-it` from 14.1.0 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.0...14.2.0)

Updates `tar` from 7.5.4 to 7.5.16
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.4...v7.5.16)

Updates `undici` from 7.19.0 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.19.0...v7.28.0)

Updates `ws` from 8.19.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.0)

Updates `vitest` from 4.0.18 to 4.1.0
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

Updates `dompurify` from 3.3.1 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.1...3.4.11)

Updates `vite` from 7.3.1 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

Updates `@opentelemetry/sdk-node` from 0.211.0 to 0.217.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.211.0...experimental/v0.217.0)

Updates `@grpc/grpc-js` from 1.14.3 to 1.14.4
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/@grpc/grpc-js@1.14.3...@grpc/grpc-js@1.14.4)

Updates `linkify-it` from 5.0.0 to 5.0.1
- [Changelog](https://github.com/markdown-it/linkify-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/linkify-it@5.0.0...5.0.1)

Updates `protobufjs` from 6.8.8 to 7.5.4
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@6.8.8...protobufjs-v7.5.4)

Updates `@opentelemetry/sdk-node` from 0.211.0 to 0.217.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.211.0...experimental/v0.217.0)

Updates `markdown-it` from 14.1.0 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.0...14.2.0)

Updates `undici` from 7.19.0 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.19.0...v7.28.0)

Updates `vitest` from 4.0.18 to 4.1.0
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

Updates `dompurify` from 3.3.1 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.1...3.4.11)

Updates `vite` from 7.3.1 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

---
updated-dependencies:
- dependency-name: "@mariozechner/pi-coding-agent"
  dependency-version: 0.73.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@whiskeysockets/baileys"
  dependency-version: 7.0.0-rc12
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.16
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/sdk-node"
  dependency-version: 0.217.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@grpc/grpc-js"
  dependency-version: 1.14.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: linkify-it
  dependency-version: 5.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.5.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/sdk-node"
  dependency-version: 0.217.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
High CVE: Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts in npm @mariozechner/pi-coding-agent

CVE: GHSA-jfgx-wxx8-mp94 Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts (HIGH)

Affected versions: >= 0.50.0 <= 0.73.1

Patched version: No patched versions

From: package.jsonnpm/@mariozechner/pi-coding-agent@0.73.1

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mariozechner/pi-coding-agent@0.73.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm strtok3 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@whiskeysockets/baileys@7.0.0-rc12npm/strtok3@10.3.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/strtok3@10.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@opentelemetry/sdk-node@0.217.0npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Low CVE: npm esbuild allows arbitrary file read when running the development server on Windows

CVE: GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows (LOW)

Affected versions: >= 0.27.3 < 0.28.1

Patched version: 0.28.1

From: pnpm-lock.yamlnpm/@vitest/coverage-v8@4.0.18npm/vitest@4.1.0npm/vite@7.3.5npm/esbuild@0.27.7

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants