Skip to content

Bump the frontend-security group across 1 directory with 4 updates#14

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/frontend/frontend-security-757020e6e5
Open

Bump the frontend-security group across 1 directory with 4 updates#14
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/frontend/frontend-security-757020e6e5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown

Bumps the frontend-security group with 4 updates in the /frontend directory: next, fast-uri, ip-address and qs.

Updates next from 14.2.14 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits
  • 80fccaa 10.2.0
  • abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
  • 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
  • 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
  • 80bc76e Validate static factories instead of silently overflowing (#201)
  • 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
  • a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
  • ec52105 Add networkForm() for CIDR network-address strings (#199)
  • a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
  • f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
  • Additional commits viewable in compare view

Updates qs from 6.15.1 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text
Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the frontend-security group across 1 directory with 4 updates
d1206a0 
Bumps the frontend-security group with 4 updates in the /frontend directory: [next](https://github.com/vercel/next.js), [fast-uri](https://github.com/fastify/fast-uri), [ip-address](https://github.com/beaugunderson/ip-address) and [qs](https://github.com/ljharb/qs).


Updates `next` from 14.2.14 to 15.5.18
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v14.2.14...v15.5.18)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0)

Updates `qs` from 6.15.1 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.1...v6.15.3)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.5.18
  dependency-type: direct:production
  dependency-group: frontend-security
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: frontend-security
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: frontend-security
- dependency-name: qs
  dependency-version: 6.15.3
  dependency-type: indirect
  dependency-group: frontend-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 26, 2026
@dependabot dependabot Bot requested a review from sanmaxdev as a code owner June 26, 2026 08:39
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sanmaxdev sanmaxdev sanmaxdev approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sanmaxdev