Skip to content

build(deps): Bump the npm_and_yarn group across 1 directory with 13 updates#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-bead21617e
Open

build(deps): Bump the npm_and_yarn group across 1 directory with 13 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-bead21617e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 3 updates in the / directory: @nestjs/core, ws and yaml.

Updates @nestjs/core from 11.1.13 to 11.1.27

Release notes

Sourced from @​nestjs/core's releases.

v11.1.27

What's Changed

Full Changelog: nestjs/nest@v11.1.26...v11.1.27

v11.1.26

What's Changed

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

New Contributors

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

Enhancements

Dependencies

Committers: 2

v11.1.23 (2026-05-21)

Bug fixes

  • core

... (truncated)

Commits
  • 660a124 chore(release): publish v11.1.27 release
  • 5c5e9ba fix(core): sse async handlers teardown issue #17128
  • aa5c4f1 chore: update readme and package.json
  • 9ff83d5 chore(release): publish v11.1.26 release
  • 0f398fd test: fix broken unit test
  • d152eec fix(core): post sse endpoint empty response #17098
  • 02f8041 chore(release): publish v11.1.25 release
  • e2ad4e2 Update package.json
  • 396cf81 refactor(core): avoid duplicating sse intercept call
  • 55cd699 fix(core): preserve deferred SSE handlers
  • Additional commits viewable in compare view

Updates axios from 1.13.4 to 1.18.1

Release notes

Sourced from axios's releases.

v1.18.1 — June 21, 2026

This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.

🐛 Bug Fixes

  • AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#10913)
  • Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#10917, #10930, #10942, #10993)
  • Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#10959, #11021)
  • AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#11019)

🔧 Maintenance & Chores

  • Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)

  • Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)

... (truncated)

Commits
  • a209bfb chore(release): prepare release 1.18.1 (#11027)
  • fa6a55e chore(deps-dev): bump multer from 2.1.1 to 2.2.0 (#11026)
  • 40e7be8 docs: clarifies that request data is request-specific in axios (#11025)
  • a446b39 fix(AxiosURLSearchParams): use arrow function so encoder.call(this) receives ...
  • cf1306a docs: add Deno to install instructions (#11023)
  • b32880a fix: incorrect use of error (#11021)
  • 1792eda fix: ensure maxBodyLength is explicitly passed to follow-redirects (#10993)
  • 30499d6 fix: various runtime crashes and type definition mismatches (#10959)
  • 20ce9c4 fix(http): defer env proxy handling to Node (#10942)
  • e64bcf9 chore(deps): merge branch 'v1.x' into tests/module/cjs (#11014)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates basic-ftp from 5.1.0 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

5.3.0

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

5.2.1

5.2.0

  • Changed: Skip files with invalid name in downloadToDir.
Changelog

Sourced from basic-ftp's changelog.

5.3.1

5.3.0

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

5.2.1

5.2.0

Commits
Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates brace-expansion from 2.0.2 to 5.0.6

Release notes

Sourced from brace-expansion's releases.

v4.0.1

  • fmt 5a5cc17
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 0b6a978

juliangruber/brace-expansion@v4.0.0...v4.0.1

v4.0.0

  • feat: use string replaces instead of splits (#64) 278132b
  • fmt dd72a59
  • add tea.yaml 70e4c1b

juliangruber/brace-expansion@v3.0.0...v4.0.0

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.1

  • pkg: publish on tag 3.x 3059c07
  • fmt 8229e6f
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 15f9b3c

juliangruber/brace-expansion@v3.0.0...v3.0.1

v3.0.0

  • Switch to ES Modules and balanced-match 3.0.0 (#62) c0360e8
  • added jsdoc (#55) 68c0e37
  • node 16 is EOL 9e781e9
  • add standard 3494c4d
  • use const and let (#57) dd5a4cb
  • docs 6dad209
  • remove test e3dd8ae
  • ci: update node versions d23ede9
  • docs: add @​lanodan to contributors 1eb3fa4
  • docs 1e7c9cd
  • switch from tape to test module (#60) 2520537
  • Bump minimist from 1.2.5 to 1.2.6 (#59) 61a94f1
  • Bump path-parse from 1.0.6 to 1.0.7 (#51) dc741cf
  • docs: add back ci badge 8ee5626
  • Add github actions, remove travis. Closes #52 (#53) 5c8756a
  • CI: Drop unused sudo: false Travis directive (#50) 05978a7

juliangruber/brace-expansion@v2.0.1...v3.0.0

v2.1.1

  • Backport v5.0.6 change to v2 (#109) c3a817c

... (truncated)

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates file-type from 21.3.0 to 21.3.4

Release notes

Sourced from file-type's releases.

v21.3.4

  • Harden parser more aec20a0

sindresorhus/file-type@v21.3.3...v21.3.4

v21.3.3

  • Harden parser c48c90b 135f91b

sindresorhus/file-type@v21.3.2...v21.3.3

v21.3.2

  • Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
  • Fix bound recursive BOM and ID3 detection 370ed91

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1


sindresorhus/file-type@v21.3.0...v21.3.1

Commits

Updates follow-redirects from 1.15.11 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • See full diff in compare view

Updates immutable from 3.7.6 to 5.1.8

Release notes

Sourced from immutable's releases.

v5.1.8

What's Changed

Full Changelog: immutable-js/immutable-js@v5.1.7...v5.1.8

v5.1.7

What's Changed

internal

New Contributors

Full Changelog: immutable-js/immutable-js@v5.1.6...v5.1.7

v5.1.6

What's Changed

Internal

... (truncated)

Changelog

Sourced from immutable's changelog.

5.1.8

4.3.9

5.1.7

5.1.6

  • fix(reverseFactory): read reversedSequence.size in __iterator instead of this #2196

5.1.5

  • Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Documentation

Internal

5.1.3

TypeScript

... (truncated)

Commits
  • 6496539 5.1.8
  • 808a83a Merge commit from fork
  • e51d49f perf(Map): index large hash-collision buckets for faster lookups
  • 25c58b0 fix typescript in tests
  • a1a1ee4 Merge commit from fork
  • f4c94e2 fix(List): refactor bounds validation and add coverage
  • c221031 Merge pull request #2228 from immutable-js/node-24-in-actions
  • dcfe0ee Upgrade actions
  • 40aeb47 5.1.7
  • 6a1860f Merge pull request #2227 from chatman-media/fix/repeat-last-index-of-off-by-one
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for immutable since your current version.


Updates ip-address from 10.1.0 to 10.2.0

Commits
  • 80fccaa 10.2.0
  • abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
  • 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
  • 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
  • 80bc76e Validate static factories instead of silently overflowing (#201)
  • 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
  • a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
  • ec52105 Add networkForm() for CIDR network-address strings (#199)
  • a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
  • f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
  • Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 10.2.5

Changelog

Sourced from minimatch's changelog.

change log

10.2

  • Add braceExpandMax option

10.1

  • Add magicalBraces option for escape
  • Fix makeRe when partial: true is set.
  • Fix makeRe when pattern ends in a final ** path part.

10.0

  • Require node 20 or 22 and higher

9.0

  • No default export, only named exports.

8.0

  • Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
  • Bump required Node.js version

7.4

  • Add escape() method
  • Add unescape() method
  • Add Minimatch.hasMagic() method

7.3

  • Add support for posix character classes in a unicode-aware way.

7.2

  • Add windowsNoMagicRoot option

7.1

  • Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

Updates path-to-regexp from 8.3.0 to 8.4.2

Release notes

Sourced from path-to-regexp's releases.

v8.4.2

Fixed

  • Error on trailing backslash (#434) 9a78879

Performance

  • Minimize array allocations (#437) 937c02d
  • Improve compile performance (#436) 57247e6
    • Should improve compilation performance by ~25%
  • Remove internal tokenization during parse (#435) 5844988
    • Should improve parse performance by ~20%

Bundle size to 1.93 kB, from 1.97 kB.


pillarjs/path-to-regexp@v8.4.1...v8.4.2

v8.4.1

Fixed

  • Remove trie deduplication (#431) 6bc8e84
    • Using a trie required non-greedy matching, which regressed wildcards in non-ending mode by matching them up until the first match. For example:
      • /*foo with /a/b = /a
      • /*foo.htmlwith /a/b.html/c.html = /a/b.html
  • Allow backtrack handling to match itself (#427) 5bcd30b
    • When backtracking was introduced, it rejected matching things like /:"a"_:"b" against /foo__. This makes intuitive sense because the second parameter is not going to backtrack on _ anymore, but it's somewhat unexpected since there's no reason it shouldn't match the second _.

pillarjs/path-to-regexp@v8.4.0...v8.4.1

v8.4.0

Important

Fixed

Changed

  • Dedupes regex prefixes (pillarjs/path-to-regexp#422)
    • This will result in shorter regular expressions for some cases using optional groups
  • Rejects large optional route combinations (pillarjs/path-to-regexp#424)
    • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes
Commits

Updates shell-quote from 1.8.3 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmi...

    Description has been truncated

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 12, 2026
…pdates

Bumps the npm_and_yarn group with 3 updates in the / directory: [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core), [ws](https://github.com/websockets/ws) and [yaml](https://github.com/eemeli/yaml).


Updates `@nestjs/core` from 11.1.13 to 11.1.27
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v11.1.27/packages/core)

Updates `axios` from 1.13.4 to 1.18.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.4...v1.18.1)

Updates `basic-ftp` from 5.1.0 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.1.0...v5.3.1)

Updates `brace-expansion` from 2.0.2 to 5.0.6
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v2.0.2...v5.0.6)

Updates `file-type` from 21.3.0 to 21.3.4
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v21.3.0...v21.3.4)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `immutable` from 3.7.6 to 5.1.8
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@3.7.6...v5.1.8)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0)

Updates `minimatch` from 9.0.5 to 10.2.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v10.2.5)

Updates `path-to-regexp` from 8.3.0 to 8.4.2
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v8.3.0...v8.4.2)

Updates `shell-quote` from 1.8.3 to 1.8.4
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.8.4)

Updates `ws` from 8.19.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.0)

Updates `yaml` from 2.8.2 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.9.0)

---
updated-dependencies:
- dependency-name: "@nestjs/core"
  dependency-version: 11.1.26
  dependency-type: indirect
- dependency-name: axios
  dependency-version: 1.17.0
  dependency-type: indirect
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
- dependency-name: file-type
  dependency-version: 21.3.4
  dependency-type: indirect
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
- dependency-name: immutable
  dependency-version: 5.1.6
  dependency-type: indirect
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
- dependency-name: minimatch
  dependency-version: 10.2.5
  dependency-type: indirect
- dependency-name: path-to-regexp
  dependency-version: 8.4.2
  dependency-type: indirect
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the npm_and_yarn group across 1 directory with 13 updates build(deps): Bump the npm_and_yarn group across 1 directory with 13 updates Jun 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-bead21617e branch from a39554f to e8bdeaf Compare June 29, 2026 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants