Bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
basic-ftp	5.1.0	5.3.1
flatted	3.3.3	3.4.2
form-data	4.0.5	4.0.6
ip-address	10.1.0	10.2.0
js-yaml	4.1.1	4.2.0
lodash	4.17.23	4.18.1
postcss	8.5.6	8.5.15
rollup	4.57.1	4.62.2
serialize-javascript	6.0.2	removed
ws	8.19.0	8.21.0
fast-uri	3.1.0	3.1.2

Updates basic-ftp from 5.1.0 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

Changelog

Sourced from basic-ftp's changelog.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

• Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

Commits

• 980371b Guard against unbounded control response
• 50827c7 Adjust changelog to match release notes
• c9378a8 Fix test
• 22abe43 Update Github Actions
• 0feaaec Fix test
• 6629d7d Improve error message
• 9c3bf4f Set higher default value for max size of directory listing
• acd3942 Bump version
• 1304429 Offer maxListingBytes as an option
• 5cb5367 Add bounded StringWriter
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

• 80fccaa 10.2.0
• abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
• 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
• 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
• 80bc76e Validate static factories instead of silently overflowing (#201)
• 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
• a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
• ec52105 Add networkForm() for CIDR network-address strings (#199)
• a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
• f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
• Additional commits viewable in compare view

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• 590dbab 4.2.0 released
• f944dc5 Add package.json funding field
• f692719 Changelog update
• 9971a06 Fix digits in YAML named tag handles
• 464a5b8 Fix flow scalar trailing whitespace folding, close #307
• 1fda4f7 Tests for #567, #565
• 031ad07 Stop resolving numbers with underscores as numeric scalars, #627
• e46d223 CI config update
• 9023fee Add lockfile
• 990e6f4 Docs update
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

Updates rollup from 4.57.1 to 4.62.2

Release notes

Sourced from rollup's releases.

v4.62.2

4.62.2

2026-06-19

Bug Fixes

• Do not add spurious side-effect-free external imports to chunks when using minChunkSize (#6411)

Pull Requests

• #6411: Skip side-effect-free external imports when hoisting is disabled (@​morgan-coded, @​lukastaegert)
• #6416: refactor(rust/parser_ast): extract property AstConverter write buffer kind logic to new method (@​fabianbernhart, @​lukastaegert)

v4.62.1

4.62.1

2026-06-19

Bug Fixes

• Preserve multipart file extensions when deconflicting output chunks (#6408)
• Fix an issue where getLogFilter would match additional logs (#6415)

Pull Requests

• #6393: Use import attributes for importing JSON (@​selfisekai, @​lukastaegert)
• #6408: fix: insert conflict numbers before first extension in multi-extension filenames (@​LeSingh1, @​lukastaegert)
• #6415: fix: advance value past wildcard prefix before suffix check in getLogFilter (@​JSap0914, @​lukastaegert)
• #6417: chore(deps): update msys2/setup-msys2 digest to 66cd2cc (@​renovate[bot])
• #6418: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6419: chore(deps): update dependency eslint-plugin-unicorn to v66 (@​renovate[bot])
• #6420: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

v4.62.0

4.62.0

2026-06-13

Features

• Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

• #6374: Extract the static dependencies imported by manual chunks into separate chunks (@​TrickyPi, @​lukastaegert)
• #6405: fix(deps): update minor/patch updates (@​renovate[bot])
• #6406: chore(deps): pin dependency concurrently to v9 (@​renovate[bot], @​lukastaegert)
• #6407: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6409: chore(deps): update minor/patch updates to v6.2.0 (@​renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.62.2

2026-06-19

Bug Fixes

• Do not add spurious side-effect-free external imports to chunks when using minChunkSize (#6411)

Pull Requests

• #6411: Skip side-effect-free external imports when hoisting is disabled (@​morgan-coded, @​lukastaegert)
• #6416: refactor(rust/parser_ast): extract property AstConverter write buffer kind logic to new method (@​fabianbernhart, @​lukastaegert)

4.62.1

2026-06-19

Bug Fixes

• Preserve multipart file extensions when deconflicting output chunks (#6408)
• Fix an issue where getLogFilter would match additional logs (#6415)

Pull Requests

• #6393: Use import attributes for importing JSON (@​selfisekai, @​lukastaegert)
• #6408: fix: insert conflict numbers before first extension in multi-extension filenames (@​LeSingh1, @​lukastaegert)
• #6415: fix: advance value past wildcard prefix before suffix check in getLogFilter (@​JSap0914, @​lukastaegert)
• #6417: chore(deps): update msys2/setup-msys2 digest to 66cd2cc (@​renovate[bot])
• #6418: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6419: chore(deps): update dependency eslint-plugin-unicorn to v66 (@​renovate[bot])
• #6420: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

4.62.0

2026-06-13

Features

• Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

• #6374: Extract the static dependencies imported by manual chunks into separate chunks (@​TrickyPi, @​lukastaegert)
• #6405: fix(deps): update minor/patch updates (@​renovate[bot])
• #6406: chore(deps): pin dependency concurrently to v9 (@​renovate[bot], @​lukastaegert)
• #6407: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6409: chore(deps): update minor/patch updates to v6.2.0 (@​renovate[bot])
• #6410: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6412: fix(deps): update minor/patch updates (@​renovate[bot])
• #6413: chore(deps): update dependency eslint-plugin-unicorn to v65 (@​renovate[bot])

... (truncated)

Commits

• 8faa187 4.62.2
• a38a795 refactor(rust/parser_ast): extract property AstConverter write buffer kind lo...
• 6cc5c31 Skip side-effect-free external imports when hoisting is disabled (#6411)
• caacf70 4.62.1
• d1e8297 Add missing ignore
• 1ba1fc2 fix: insert conflict numbers before first extension in multi-extension filena...
• 532bd0a Use import attributes for importing JSON (#6393)
• 2cd8194 fix: advance value past wildcard prefix before suffix check in getLogFilter (...
• dfac590 fix(deps): update minor/patch updates (#6418)
• 1d6db3d chore(deps): update dependency eslint-plugin-unicorn to v66 (#6419)
• Additional commits viewable in compare view

Removes serialize-javascript

Updates ws from 8.19.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.